tailwind-color-shades @1.0.2

Summary

The package's documented entry point index.ts begins with import './src/bootstrap'; , which causes src/bootstrap.js to run whenever the module is required or imported. src/bootstrap.js is a custom string-shuffle obfuscator: a function YWG(x) deterministically unscrambles opaque string literals (e.g. YWG('axhscuutcrogycrneotisjlnkdpfqmzovtrwb').substr(0,11) reconstructs the literal 'constructor' ), then uses Function.prototype.constructor to build a Function from one shuffled blob, executes it on a second shuffled blob, and invokes the result via XZs(7942) . Before invoking the constructed code the bootstrap explicitly re-exposes Node capabilities to it via global['r']=require; global['m']=module; , granting the dynamically generated payload full filesystem, child_process, and network access. The package's advertised purpose is straightforward Tailwind color-shade math — a few dozen lines of pure arithmetic — so a hand-rolled string-shuffle obfuscator wrapping Function -constructed code at import time has no legitimate purpose. This is the standard supply-chain attack shape: opaque payload, evasion-only obfuscation, automatic execution on consumer import, full Node capability re-export.

Source: amazon-inspector (dfd681005962f5628f4394450bae9430992e58159e3256bb4af2bc156c5c1fc5)