clsx-tailwind @1.0.1

Summary

Package advertises a trivial Tailwind class-name merger (a 5-line cn() helper) but its main entry dist/index.js unconditionally requires dist/lib/lib.min.js , which runs at import time. That file (a) assigns require and module onto the global object so subsequently-evaluated code can resolve modules without containing literal require / module tokens, (b) reconstructs method names and an executable body via a hand-rolled string-shuffle decoder ( YWG ), and (c) resolves YWG[OSN] to Function.constructor and immediately invokes it on the decoded blob, evaluating obfuscated code on every consumer's require('clsx-tailwind') . The combination of heavy string-shuffle obfuscation, dynamic Function() evaluation of the decoded output, leaking require / module to the global namespace, and a payload entirely unrelated to the package's advertised purpose is the canonical malicious-payload shape. Any process that imports this package executes attacker-controlled code with the privileges of the host application.

Source: amazon-inspector (6e1efb9d7593baede89024227d99cc6ca9fc0c86e1f0faf8dd78560174cf1b39)