OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10550 confirms this npm version as malicious. The package publishes under the name of the legitimate `better-tailwindcss` project but its package.json declares both a runtime and dev dependency on `better-tailwindcss` resolved from `http://pack.nppacks.com/npm/better-tailwindcss` — a plain-HTTP, non-registry host with no integrity hash and no TLS...
Advisory
MAL-2026-10550
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in better-tailwindcss (npm)
Details
The package publishes under the name of the legitimate `better-tailwindcss` project but its package.json declares both a runtime and dev dependency on `better-tailwindcss` resolved from `http://pack.nppacks.com/npm/better-tailwindcss` — a plain-HTTP, non-registry host with no integrity hash and no TLS. On `npm install`, npm fetches and installs that arbitrary, mutable tarball, and any install/postinstall scripts inside it execute on the installer's machine. The shipped code itself is a Babel plugin clone unrelated to the real better-tailwindcss project (a tailwind ESLint plugin) and carries a self-label describing the package as being for 'Security Research Testing Purpose,' confirming it is a namespace squat used as a delivery vehicle for code hosted at pack.nppacks.com.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
HttpDependency
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 Medium1 Low
MediumHttp Dependency
LowScripts Present