tw-theme-kit @1.1.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5935
Ecosystem
npm
Summary
The published entrypoints dist/index.cjs and dist/runtime.cjs contain an injected IIFE that assigns global.r = require and global.m = module , tags the host with campaign id 'A6-Orion-271', uses a string-shuffle helper to reconstruct the identifier 'constructor', then invokes Function() on a deshuffled obfuscated blob and immediately calls the resulting function. Any consumer that does require('tw-theme-kit') or import 'tw-theme-kit/runtime' triggers attacker-controlled code at load time with full Node capabilities (fs, child_process, net) exposed via the globals. This behavior is unrelated to the package's stated purpose (a Tailwind theme plugin) and matches the fingerprint of the 'Orion' obfuscated-loader campaign. The.mjs builds and source-maps embed the same obfuscated literal, so no entrypoint is safe.
Source: amazon-inspector (0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.