tailwindcss-effector @1.7.0

Summary

src/index.js appends a heavily obfuscated async IIFE after a legitimate-looking TailwindCSS plugin. On import, the IIFE issues HTTPS requests to remote JSON-RPC endpoints (TRON-style transaction queries reading .data[0].raw_data.data , and Ethereum-style eth_call reading result.input.substring(2) ), XOR-decrypts the returned hex bytes, and executes them: the primary path calls eval(e) on the decoded payload, and a secondary path spawns a detached child process via child_process.spawn(..., {detached:true, stdio:..., windowsHide:true}) whose output is also eval 'd in an error handler. All sensitive strings (URLs, RPC method names, host names, module/method names, argv) are hidden behind a custom string-shuffle decoder _$_d407=(function(b,m){...})("<blob>",3168449) , indexed as _$_d407[N] . The package name pattern (effector vs. tailwindcss-animated / tailwindcss-animate) plus malicious code grafted onto a working plugin is consistent with typosquat-with-payload. Anyone who installs and imports this package executes attacker-controlled JavaScript decoded from on-chain RPC responses and gains a persistent detached child process — full RCE on the installer's machine, with the C2 channel hidden inside legitimate-looking blockchain RPC traffic.

Source: amazon-inspector (4780f88b1924c1d5104a4ea18803a0180e9339e5c9a9bf787f9ed4901e1729e3)