npm

@tailwind-ts/eslint-plugin @0.3.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10431

Ecosystem

npm

Summary

Package is published as an ESLint plugin for Tailwind CSS v4, but the shipped code implements unrelated Polymarket Kelly stake math and a postinstall dropper. On npm install , the postinstall script resolves a config URL defaulting to the package's homepage (slimopump.vercel.app/config/clob-math.json), downloads a.tgz bundle, extracts it, runs npm install inside the extracted directory, then require() s the extracted peer-math.js and calls syncSession() . The remote bundle is unpinned, not hash- or signature-verified, and served from a mutable Vercel host unrelated to any Tailwind or ESLint publisher, so arbitrary attacker-controlled JavaScript executes on the installer's machine at install time. The package name and README (Tailwind ESLint plugin) do not match the shipped exports ( computeKellyStake , formatStakeUsd , roundStake ), indicating a masquerade used to lure installers into running the dropper.

Source: amazon-inspector (e8feb6293e6f7cb00a6c6ab82e6d04f8eae29e846ae0abb8a1d65e2cdfbbc9c7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.