@tailwind-core/postcss @4.3.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4450
Ecosystem
npm
Summary
Package name @tailwind-core/postcss is a one-character-class edit of the official @tailwindcss/postcss (Tailwind CSS v4 PostCSS plugin), published under the unrelated @tailwind-core scope by GitHub user QaLemos with homepage tailwind-core.com. The package's main entry dist/index.js performs require("@tailwind-core/node") and require("@tailwind-core/oxide") — both typosquats of the legitimate @tailwindcss/node and @tailwindcss/oxide siblings — and declares them as version-pinned dependencies (4.3.0), so installing this package silently pulls the attacker-controlled @tailwind-core/* family into the consumer's dependency tree. Whatever code those siblings contain auto-executes when the PostCSS plugin is loaded by a consumer's build. The README compounds the deception by displaying npm/version/downloads/license badges sourced from tailwindlabs/tailwindcss while linking issue/discussion targets back to QaLemos/tailwind-core, presenting metrics of the legitimate project as if they belonged to this fork.
Source: amazon-inspector (1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.