typography-stylecss @0.7.4

Summary

The package impersonates the legitimate @tailwindcss/typography plugin: README, src/index.js, src/utils.js, and src/styles.js are copied verbatim from the Tailwind Labs plugin, and peerDependencies lists tailwindcss to reinforce the masquerade, but the package is published under the unrelated name typography-stylecss. Appended to src/index.js after the legitimate module.exports = plugin.withOptions(...) is an obfuscator.io-style payload (hex-named identifiers _0x168f6b, _0x3fc27f, etc., with a rotated string table _0x5975). Decoded string-table fragments include platform branching ('win32', 'windows', 'agent-linux-') and a URL path template /agents/<deploymentHash> built against a base URL read from a __SSTAR_API_BASE global, consistent with downloading a platform-specific agent binary and executing it. Because this code sits at module top level, it fires on require('typography-stylecss') / import 'typography-stylecss' — exactly the usage the cloned README instructs developers to add to their tailwind.config.js . Any build or dev server that loads the Tailwind config will trigger the dropper, which fetches and runs an attacker-controlled native binary on the installer's machine.

Source: amazon-inspector (4eeb50f69746fd21696baaa7d3534bbd22489edb037742ca591d49ca88981f70)