tailwind-style-typography @0.5.8

Summary

The package name impersonates the official @tailwindcss/typography plugin and replicates its README and source verbatim (including links to tailwindlabs/tailwindcss-typography), but src/index.js appends an obfuscated IIFE that runs whenever a consumer require()s the package. The trailing block uses a custom Fisher-Yates-style shuffle decoder (sfL) to reconstruct the strings 'require', 'module', and 'constructor' from a scrambled alphabet, resolves the Function constructor via String.constructor (dgC=sfL[EKc]), builds a function from a decoded payload (xBg=dgC(Apa, sfL(joW))), and immediately invokes it with a second decoded blob (Tgw(2509)). This is eval-of-opaque-string at module load time, hidden behind a custom decoder specifically designed to defeat static review. Any project that adopts this 'plugin' executes attacker-controlled JavaScript inside its build process, with full access to the developer's environment, source tree, and any credentials reachable from the build host. The combination of (a) deliberate name impersonation of a top-tier Tailwind package, (b) verbatim cover-story README/code, and (c) injected obfuscated Function-constructor execution leaves no benign interpretation.

Source: amazon-inspector (0818530f40672586168012538662486135f040526d0e4377f362b6bfe2f61bd2)