Which versions of tailwind-style-typography are malicious?

The following npm versions of tailwind-style-typography are flagged malicious: 0.5.8. Treat any of these as compromised.

How do I remediate tailwind-style-typography if I installed it?

tailwind-style-typography is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed tailwind-style-typography — how do I know if it already compromised me?

If tailwind-style-typography was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is tailwind-style-typography part of a known attack campaign?

Yes — tailwind-style-typography is associated with the IN-MAL-2026-004245, GHSA-pv74-wmjg-4gp8 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find tailwind-style-typography across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for tailwind-style-typography (version 0.5.8). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging tailwind-style-typography across your stack and pipelines.

Malicious package

tailwind-style-typographynpm

Malicious code in tailwind-style-typography (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4680

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tailwind-style-typography

What this malware does

The package name impersonates the official @tailwindcss/typography plugin and replicates its README and source verbatim (including links to tailwindlabs/tailwindcss-typography), but src/index.js appends an obfuscated IIFE that runs whenever a consumer require()s the package. The trailing block uses a custom Fisher-Yates-style shuffle decoder (sfL) to reconstruct the strings 'require', 'module', and 'constructor' from a scrambled alphabet, resolves the Function constructor via String.constructor (dgC=sfL[EKc]), builds a function from a decoded payload (xBg=dgC(Apa, sfL(joW))), and immediately invokes it with a second decoded blob (Tgw(2509)). This is eval-of-opaque-string at module load time, hidden behind a custom decoder specifically designed to defeat static review. Any project that adopts this 'plugin' executes attacker-controlled JavaScript inside its build process, with full access to the developer's environment, source tree, and any credentials reachable from the build host. The combination of (a) deliberate name impersonation of a top-tier Tailwind package, (b) verbatim cover-story README/code, and (c) injected obfuscated Function-constructor execution leaves no benign interpretation.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

0.5.8

Indicators of compromise (SHA-256)

0818530f40672586168012538662486135f040526d0e4377f362b6bfe2f61bd2

6be3309e5c75c7b9384af322a3177e1264bb20d7d63a49ba2d450d5ca4cf7901

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for tailwind-style-typography (version 0.5.8). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging tailwind-style-typography across your stack and pipelines.
If you installed it — respond
tailwind-style-typography is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If tailwind-style-typography was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks tailwind-style-typography before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. tailwind-style-typography on npm has been identified as a malicious package (version 0.5.8 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004245GHSA-pv74-wmjg-4gp8

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks tailwind-style-typography-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring