tailwindcss-merge @1.0.4

Summary

Package name tailwindcss-merge is a one-character edit of the popular tailwind-merge utility, and the README documents it as a drop-in ( import {... } from 'tailwindcss-merge' ). src/index.ts line 13 ends with a side-effect import import './lib/lib.min.js'; even though the manifest claims sideEffects: false . src/lib/lib.min.js is a heavily obfuscated bootstrap that (a) stashes require into global['r'] and module into global['m'] , (b) uses a deterministic Knuth-style string-shuffle seeded with 2540575 to deshuffle the literal 'axhscuutcrogycrneotisjlnkdpfqmzovtrwb' into the string 'constructor' , (c) dereferences that to obtain the Function constructor, and (d) deshuffles two further opaque blobs and executes them via Function('', decoded)(decoded2) followed by XZs(7942) . The combination — typosquat name, side-effect import contradicting the manifest, capture of require / module into globals immediately before a two-stage opaque-string-to-Function eval chain — exists only to hide arbitrary code execution from review. Any consumer who imports this package (directly, or via the source field that bundlers like Parcel and Microbundle resolve to src/index.ts ) executes the eval'd payload at module load with full access to require , enabling child-process spawn, network I/O, and filesystem reads. Manifest also points main at ./dist/bundle-cjs.js , but no dist/ directory ships in the tarball, and author is empty — publication-hygiene tells consistent with a hastily-assembled typosquat.

Source: amazon-inspector (37e379cbf2d39f386221b7e0896b9331c7a52dc62a74bee6ded47962a77074b7)