tw-fluid-type @1.0.1

Summary

The package advertises itself as a Tailwind CSS fluid-type plugin but ships src/utils/lib.min.js, which is loaded as a side effect when the package's main entry point is required. createClasses.js (reached from src/index.js) does const lib = require('./lib.min.js') and never uses the returned value — the only purpose of the require is to trigger the file's IIFE. lib.min.js caches global.r = require and global.m = module , then runs a ~4KB string through a custom Fisher-Yates-style deterministic shuffle (function YWG, seed 2540575) to decode JavaScript source, resolves the Function constructor via an obfuscated property lookup ( YWG['constructor'] ), and invokes Function(...)(decoded_body) to execute the decoded code with full access to the cached require/module. A declarative CSS-utility plugin has no legitimate need to construct functions from shuffled-string blobs, cache require/module on the global object, or conceal its executable logic with a custom shuffle. Any consumer who imports this package executes the concealed payload at module load.

Source: amazon-inspector (5c3bc3497d6c683f52210ca201500d27cf9e2bcccd976883be2ed85d17569b54)