Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in tailwind-animate-v4 (npm)

tailwind-animate-v4

Risk score

92

AI summary

Indexed incident for tailwind-animate-v4 (npm).

Description

The package presents itself as a Tailwind CSS animation plugin and reproduces the legitimate tailwindcss-animate source (including its original author metadata) verbatim in index.js. A long whitespace run at the end of the file visually hides an appended obfuscated loader. On require(), the loader permutation-decodes a string to recover the identifiers 'require', 'module', '__dirname', '__filename', and 'undefined', re-installs them on the global object, then resolves the Function constructor indirectly via a String prototype method whose name is produced by string permutation ('constructor'). It then uses Function() to compile and immediately invoke a large opaque decoded payload (uwg(4261)). This is dynamic execution of an obfuscated blob at library-load time, delivered under a name that mimics the widely used tailwindcss-animate package. Any project that adds this dependency and requires it will execute the hidden payload in the developer/build process, with full access to environment variables, filesystem, and network.

Technical details

Affected versions

=2.1.1=2.1.0=1.1.0=2.1.2

Indicators

  • affected version=2.1.175%
  • affected version=2.1.075%
  • affected version=1.1.075%
  • affected version=2.1.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents