Which versions of tw-theme-kit are malicious?

The following npm versions of tw-theme-kit are flagged malicious: 1.1.0. Treat any of these as compromised.

How do I remediate tw-theme-kit if I installed it?

Remove tw-theme-kit from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is tw-theme-kit part of a known attack campaign?

Yes — tw-theme-kit is associated with the IN-MAL-2026-006848 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect tw-theme-kit in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking tw-theme-kit and packages like it before any post-install script runs.

Malicious package

tw-theme-kitnpm

Malicious code in tw-theme-kit (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5935

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall tw-theme-kit

What this malware does

The published entrypoints dist/index.cjs and dist/runtime.cjs contain an injected IIFE that assigns global.r = require and global.m = module, tags the host with campaign id 'A6-Orion-271', uses a string-shuffle helper to reconstruct the identifier 'constructor', then invokes Function() on a deshuffled obfuscated blob and immediately calls the resulting function. Any consumer that does require('tw-theme-kit') or import 'tw-theme-kit/runtime' triggers attacker-controlled code at load time with full Node capabilities (fs, child_process, net) exposed via the globals. This behavior is unrelated to the package's stated purpose (a Tailwind theme plugin) and matches the fingerprint of the 'Orion' obfuscated-loader campaign. The.mjs builds and source-maps embed the same obfuscated literal, so no entrypoint is safe.

Malicious versions

1 flagged

1.1.0

Indicators of compromise (SHA-256)

0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c

Frequently asked questions

No. tw-theme-kit on npm has been identified as a malicious package (version 1.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006848

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection