registry  /  tailwind-animate-v4  /  2.1.1

tailwind-animate-v4@2.1.1

A Tailwind CSS plugin for creating beautiful animations.

OSV Malicious Advisory

scanned 6h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10073 confirms this npm version as malicious. Package name `tailwind-animate-v4` impersonates the legitimate `tailwindcss-animate` Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The `main` entry `index.js` appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load...

Advisory
MAL-2026-10073
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in tailwind-animate-v4 (npm)
Details
Package name `tailwind-animate-v4` impersonates the legitimate `tailwindcss-animate` Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The `main` entry `index.js` appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load. Before the eval, the payload assigns `require`, `__dirname`, and `__filename` onto `global` (with marker `global.o='1-project'`) so the decoded body regains full Node.js module capabilities. Any developer who installs this package and references it from `tailwind.config.js` (`require('tailwind-animate-v4')`) executes the hidden payload in their Node.js process at import time. The combination of name impersonation, hidden padding, string-shuffle obfuscation, and Function-constructor eval of an opaque body is an unambiguous supply-chain attack against installers of the legitimate plugin.
Decision reason
OpenSSF Malicious Packages via OSV confirms tailwind-animate-v4@2.1.1 as malicious (MAL-2026-10073): Malicious code in tailwind-animate-v4 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory