@tailwind-core/webpack @4.3.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4452
Ecosystem
npm
Summary
Package @tailwind-core/webpack impersonates the legitimate Tailwind v4 webpack loader @tailwindcss/webpack . The README copies Tailwind Labs branding by linking logo assets at raw.githubusercontent.com/tailwindlabs/tailwind-core/HEAD/.github/logo-light.svg and claims a tailwind-core.com homepage, while the actual repo is QaLemos/tailwind-core (not Tailwind Labs). The loader code itself is a faithful copy of the upstream loader and performs no direct network or credential activity, but package.json pins three sibling typosquats as dependencies ( tailwind-core@4.3.0 , @tailwind-core/node@4.3.0 , @tailwind-core/oxide@4.3.0 ), all sharing the same impersonated namespace and identical version. Installing this package transitively pulls those sibling packages into the installer's dependency tree, which is the namespace-abuse delivery vector — the lure looks like the official Tailwind v4 webpack loader and silently brings attacker-controlled siblings along.
Source: amazon-inspector (7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.