OSV Malicious Advisory
scanned 5h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10073 confirms this npm version as malicious. Package name `tailwind-animate-v4` impersonates the legitimate `tailwindcss-animate` Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The `main` entry `index.js` appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load...
Advisory
MAL-2026-10073
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in tailwind-animate-v4 (npm)
Details
Package name `tailwind-animate-v4` impersonates the legitimate `tailwindcss-animate` Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The `main` entry `index.js` appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load. Before the eval, the payload assigns `require`, `__dirname`, and `__filename` onto `global` (with marker `global.o='1-project'`) so the decoded body regains full Node.js module capabilities. Any developer who installs this package and references it from `tailwind.config.js` (`require('tailwind-animate-v4')`) executes the hidden payload in their Node.js process at import time. The combination of name impersonation, hidden padding, string-shuffle obfuscation, and Function-constructor eval of an opaque body is an unambiguous supply-chain attack against installers of the legitimate plugin.
Decision reason
OpenSSF Malicious Packages via OSV confirms tailwind-animate-v4@2.1.1 as malicious (MAL-2026-10073): Malicious code in tailwind-animate-v4 (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory