npm

tailwind-animate-v4 @2.1.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10073

Ecosystem

npm

Summary

Package name tailwind-animate-v4 impersonates the legitimate tailwindcss-animate Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The main entry index.js appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load. Before the eval, the payload assigns require , __dirname , and __filename onto global (with marker global.o='1-project' ) so the decoded body regains full Node.js module capabilities. Any developer who installs this package and references it from tailwind.config.js ( require('tailwind-animate-v4') ) executes the hidden payload in their Node.js process at import time. The combination of name impersonation, hidden padding, string-shuffle obfuscation, and Function-constructor eval of an opaque body is an unambiguous supply-chain attack against installers of the legitimate plugin.

Source: amazon-inspector (f84f64cb815db4292d41676cee2df5e9e5ca2953ed29f3bd2288e83d7c3779dc)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.