registry  /  tailwind-core  /  4.3.2

tailwind-core@4.3.2

A utility-first CSS framework for rapidly building custom user interfaces.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Runtime use of the package can start a delayed C2 loop that fingerprints the host and executes code returned from Google Apps Script. This behavior is unrelated to a Tailwind-style CSS package.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or invoking the package runtime path after the timestamp gate is reached.
Impact
Remote command/code execution plus host/environment disclosure for consuming projects.
Mechanism
time-gated host fingerprinting, C2 polling, and dynamic code execution
Attack narrative
The package's compiled entry files include a hidden delayed function that imports os and crypto, builds a host fingerprint, derives an equipment id, obtains an OAuth access token, registers the host with a Google Apps Script endpoint, then repeatedly polls for base64 JSON instructions. If instructions include code, the package compiles it with new Function and invokes it with helper functions and C2 accessors.
Rationale
Static source inspection confirms concrete malicious behavior: host fingerprint exfiltration and remote code execution through a time-gated C2 loop. Absence of install hooks only narrows activation to runtime/build-time use; it does not make this package safe.
Evidence
package.jsondist/lib.jsdist/lib.mjs
Network endpoints2
oauth2.googleapis.com/tokenscript.googleapis.com/v1/scripts/AKfycbyjrAVcSQB2V6XNzgYK8J0gGyx0c_ZpC0y4rFzq1IGUPu7zx7guLszZDVlcsfDzXVz3QA:run

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • dist/lib.js and dist/lib.mjs contain a time-gated async function that activates after Date.now() >= 1783641600000.
  • The payload fingerprints host data via os.hostname(), homedir(), platform(), arch(), cpus().length, and totalmem().
  • Fingerprint data is base64 encoded and sent as equip_desc to a Google Apps Script function named addNewEquipment.
  • The code exchanges an embedded OAuth refresh token/client secret for an access token at oauth2.googleapis.com/token.
  • It polls script.googleapis.com/v1/scripts/<script-id>:run every 10 seconds for base64 JSON instructions.
  • Returned code is installed with new Function and then invoked, enabling remote code execution.
Evidence against
  • package.json has no npm lifecycle hooks, so behavior is not install-time.
  • The package also contains normal Tailwind-like CSS compiler code and CSS exports.
  • No AI-agent control surface writes were found in inspected files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 588 KB of source, external domains: oauth2.googleapis.com, script.googleapis.com, tailwind-core.com

Source & flagged code

6 flagged · loading source
dist/lib.mjsView file
1import{a as nt,b as L,c as Z,d as or,e as I,f as Et,g as te,h as lt,i as ur}from"./chunk-TDNFF6A4.mjs";import{a as sr}from"./chunk-X4GG3EDV.mjs";import{a as Pe,b as _e,c as ar}from... L2: `,` ... L9: `,r&&(i+=f.length,i+=2)}else if(l.kind==="comment"){if(u+=`${f}/*${l.value}*/ L10: `,r){i+=f.length;let m=i;i+=2+l.value.length+2;let d=i;l.dst=[t,m,d],i+=1}}else if(l.kind==="context"||l.kind==="at-root")return"";return u}let s="";for(let l of e)s+=n(l,0);return... L11: Only valid data types are: ${Bt.map(y=>`"${y}"`).join(", ")}.
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/lib.mjsView on unpkg · L1
9`,r&&(i+=f.length,i+=2)}else if(l.kind==="comment"){if(u+=`${f}/*${l.value}*/ L10: `,r){i+=f.length;let m=i;i+=2+l.value.length+2;let d=i;l.dst=[t,m,d],i+=1}}else if(l.kind==="context"||l.kind==="at-root")return"";return u}let s="";for(let l of e)s+=n(l,0);return... L11: Only valid data types are: ${Bt.map(y=>`"${y}"`).join(", ")}.
High
Eval

Package source references dynamic code evaluation.

dist/lib.mjsView on unpkg · L9
1import{a as nt,b as L,c as Z,d as or,e as I,f as Et,g as te,h as lt,i as ur}from"./chunk-TDNFF6A4.mjs";import{a as sr}from"./chunk-X4GG3EDV.mjs";import{a as Pe,b as _e,c as ar}from... L2: `,` ... L9: `,r&&(i+=f.length,i+=2)}else if(l.kind==="comment"){if(u+=`${f}/*${l.value}*/ L10: `,r){i+=f.length;let m=i;i+=2+l.value.length+2;let d=i;l.dst=[t,m,d],i+=1}}else if(l.kind==="context"||l.kind==="at-root")return"";return u}let s="";for(let l of e)s+=n(l,0);return... L11: Only valid data types are: ${Bt.map(y=>`"${y}"`).join(", ")}.
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/lib.mjsView on unpkg · L1
1import{a as nt,b as L,c as Z,d as or,e as I,f as Et,g as te,h as lt,i as ur}from"./chunk-TDNFF6A4.mjs";import{a as sr}from"./chunk-X4GG3EDV.mjs";import{a as Pe,b as _e,c as ar}from... L2: `,` ... L9: `,r&&(i+=f.length,i+=2)}else if(l.kind==="comment"){if(u+=`${f}/*${l.value}*/ L10: `,r){i+=f.length;let m=i;i+=2+l.value.length+2;let d=i;l.dst=[t,m,d],i+=1}}else if(l.kind==="context"||l.kind==="at-root")return"";return u}let s="";for(let l of e)s+=n(l,0);return... L11: Only valid data types are: ${Bt.map(y=>`"${y}"`).join(", ")}.
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib.mjsView on unpkg · L1
9`,r&&(i+=f.length,i+=2)}else if(l.kind==="comment"){if(u+=`${f}/*${l.value}*/ L10: `,r){i+=f.length;let m=i;i+=2+l.value.length+2;let d=i;l.dst=[t,m,d],i+=1}}else if(l.kind==="context"||l.kind==="at-root")return"";return u}let s="";for(let l of e)s+=n(l,0);return... L11: Only valid data types are: ${Bt.map(y=>`"${y}"`).join(", ")}.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/lib.mjsView on unpkg · L9
dist/lib.jsView file
Trigger-reachable chain: manifest.exports -> dist/lib.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib.jsView on unpkg

Findings

2 Critical4 High3 Medium4 Low
CriticalRemote Asset Decode Executedist/lib.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/lib.js
HighChild Process
HighEvaldist/lib.mjs
HighHost Fingerprint Exfiltrationdist/lib.mjs
HighSandbox Evasion Gated Capabilitydist/lib.mjs
MediumDynamic Requiredist/lib.mjs
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings