@tailwind-core/oxide-win32-x64-msvc @4.3.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4449
Ecosystem
npm
Summary
The package name @tailwind-core/oxide-win32-x64-msvc impersonates the legitimate Tailwind CSS scope @tailwindcss (published by tailwindlabs). The README claims this is the win32-x64-msvc binary for Tailwind v4's Rust engine @tailwindcss/oxide , but the source repository is github.com/QaLemos/tailwind-core , which has no association with Tailwind Labs. The package's main entry is a 3.1 MB compiled .node native addon with no accompanying JavaScript wrapper or source, so its behavior cannot be audited. Because consumers typically receive this package as an optional/platform dependency of the parent @tailwind-core/oxide package, a require() resolves directly to the opaque native binary and executes arbitrary native code in the consumer's Node.js process at load time. The combination of scope-level typosquat against a top-tier package, publisher mismatch, and an unverifiable native payload as the sole artifact matches a namespace-abuse-with-native-payload shape.
Source: amazon-inspector (d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.