Which versions of tailwind-animator-scroll are malicious?

The following npm versions of tailwind-animator-scroll are flagged malicious: 1.7.0. Treat any of these as compromised.

How do I remediate tailwind-animator-scroll if I installed it?

Remove tailwind-animator-scroll from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is tailwind-animator-scroll part of a known attack campaign?

Yes — tailwind-animator-scroll is associated with the IN-MAL-2026-005708, IN-MAL-2026-005707 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect tailwind-animator-scroll in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking tailwind-animator-scroll and packages like it before any post-install script runs.

Malicious package

tailwind-animator-scrollnpm

Malicious code in tailwind-animator-scroll (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5618

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tailwind-animator-scroll

What this malware does

The package's main entry src/index.js appends, after a large whitespace gap following the legitimate-looking Tailwind plugin code, an eval(atob('Z2xvYmFsWychJ109JzExJzt2YXIgXyRfMWU0Mj0...')) call. The decoded first stage re-exposes Node's require and module as global aliases (global['c']=require, etc. — typo-style obfuscation) and then invokes a second-stage IIFE that uses a custom shuffle decoder plus the Function() constructor to assemble and execute a further opaque payload. Because this lives in the main entry, simply adding the plugin to tailwind.config.js executes attacker-controlled code inside the developer's build environment, where CI tokens, environment variables, source code, and credentials are all reachable. The package additionally impersonates the legitimate tailwindcss-animationfound plugin: the README copies its CSS class names and API surface verbatim, the install snippet uses yet another misspelling (tailwind-animatior-scroll), and a shields.io badge links to the real tailwindcss-animationfound package — a typosquat lure designed to catch developers who mistype or fuzzy-search for the legitimate plugin.

Malicious versions

1 flagged

1.7.0

Indicators of compromise (SHA-256)

ba3df97ff156b8e1e30b41be70b8a14bf5ca95949640fb51a96b3369231cf372

f89c3c4c01375bc7baef213c815a901ac3947eaf3835aa80ea67a725ece8d533

Frequently asked questions

No. tailwind-animator-scroll on npm has been identified as a malicious package (version 1.7.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005708IN-MAL-2026-005707

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection