tailwind-typography-plusnpm

[email protected] impersonates the legitimate @tailwindcss/typography Tailwind CSS plugin (confusable name, copied plugin export shape, identical modifier and color-theme names) and weaponizes that drop-in usage with require-time arbitrary code execution. The package main src/index.js calls initScaleEngine() at top level, which runs src/responsive-scale.js. responsive-scale.js loads data/font-metrics.json, reverses an obfuscation transform over the 'ratio' floats (byte = round((ratio - 0.10) / 1.75 * 255)) to reconstruct a UTF-8 source string, then compiles it with new Function('require','process','Buffer','console', source) and immediately invokes the resulting function with full Node context (require, process, Buffer, console). Whatever bytes the maintainer encodes into font-metrics.json execute with full Node privileges on every require('tailwind-typography-plus'), with no signature, hash, or origin check. Separately, src/styles.js contains a top-level IIFE that on require creates os.tmpdir()/.tailwind-color-space-v2, evades CI environments via !process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY, and writes probe-<pid>.json containing arch, platform, execPath, and timestamp. The file carries an author comment explicitly labelled 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the package documents itself as malware scaffolding. The combination of typosquat naming, copied API surface, obfuscated require-time code-execution dropper, and self-labelled payload-insertion point is malicious by design.