Which versions of tailwind-form are malicious?

The following npm versions of tailwind-form are flagged malicious: 0.5.12. Treat any of these as compromised.

How do I remediate tailwind-form if I installed it?

Remove tailwind-form from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is tailwind-form part of a known attack campaign?

Yes — tailwind-form is associated with the IN-MAL-2026-005189 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect tailwind-form in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking tailwind-form and packages like it before any post-install script runs.

Malicious package

tailwind-formnpm

Malicious code in tailwind-form (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5487

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tailwind-form

What this malware does

tailwind-form is a typosquat of the legitimate @tailwindcss/forms plugin (README and repository field are copied from tailwindlabs/tailwindcss-forms, but the package is published under an unrelated name by an unaffiliated author). The main module src/index.js ends with an eval that fetches https://www.jsonkeeper.com/b/NFTTN via axios and eval's the returned JSON field content_o. Any project that requires this package executes whatever JavaScript is currently hosted at that public, author-mutable paste URL — giving the publisher unconditional remote code execution on every installer's machine at module-load time.

Malicious versions

1 flagged

0.5.12

Indicators of compromise (SHA-256)

37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79

Frequently asked questions

No. tailwind-form on npm has been identified as a malicious package (version 0.5.12 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005189

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection