registry  /  better-tailwindcss  /  4.6.3

better-tailwindcss@4.6.3

NPM

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10550 confirms this npm version as malicious. The package publishes under the name of the legitimate `better-tailwindcss` project but its package.json declares both a runtime and dev dependency on `better-tailwindcss` resolved from `http://pack.nppacks.com/npm/better-tailwindcss` — a plain-HTTP, non-registry host with no integrity hash and no TLS...

Advisory
MAL-2026-10550
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in better-tailwindcss (npm)
Details
The package publishes under the name of the legitimate `better-tailwindcss` project but its package.json declares both a runtime and dev dependency on `better-tailwindcss` resolved from `http://pack.nppacks.com/npm/better-tailwindcss` — a plain-HTTP, non-registry host with no integrity hash and no TLS. On `npm install`, npm fetches and installs that arbitrary, mutable tarball, and any install/postinstall scripts inside it execute on the installer's machine. The shipped code itself is a Babel plugin clone unrelated to the real better-tailwindcss project (a tailwind ESLint plugin) and carries a self-label describing the package as being for 'Security Research Testing Purpose,' confirming it is a namespace squat used as a delivery vehicle for code hosted at pack.nppacks.com.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
HttpDependency
scanned 1 file(s), 4.73 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Medium1 Low
MediumHttp Dependency
LowScripts Present