Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in tailwind-core

Malware was distributed via the npm package tailwind-core. Systems with the package installed are considered fully compromised and require immediate remediation.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with the malicious tailwind-core package installed
Ecosystems
Attack vectors
Affected entities
  • tailwind-corenpm package

A malicious version of the npm package tailwind-core was published and distributed to users. The package contained malware that grants full control of affected systems to an outside entity.\n\nAny computer with this package installed or running should be considered fully compromised. The malware may have established persistence mechanisms that could survive package removal.\n\nImmediate action is required: all secrets, keys, and credentials stored on affected systems must be rotated from a different, uncompromised computer. The package should be removed, though removal alone may not eliminate all malicious artifacts.

Indicators of compromise

Packages
  • tailwind-core

Remediation

  • Immediately remove the tailwind-core package from all affected systems
  • Rotate all secrets, API keys, credentials, and tokens from a different, uncompromised computer
  • Perform a full security audit and malware scan of affected systems
  • Review system logs and network traffic for signs of unauthorized access or data exfiltration
  • Consider the affected systems compromised and plan for full rebuild if critical infrastructure
  • Monitor for any lateral movement or persistence mechanisms installed by the malware

Sources

  1. GitHub Advisory GHSA-m6r5-49q4-pv25 · GitHub Advisory Database

Cite this entry

"Malware in tailwind-core." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 9, 2026; last updated July 9, 2026. https://supplychainattack.org/incident/malware-in-tailwind-core-hqj244

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. resolvedcritical

    Malware in rony-testing

    The npm package rony-testing contained malware that provided full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  2. resolvedcritical

    Malware in gas-log

    The npm package gas-log contained malware that provided full system compromise to attackers. Any computer with the package installed or running should be considered fully compromised.

    npmCompromised package
  3. activecritical

    Malware in na-rony-test-karem

    The npm package na-rony-test-karem contains malware that grants full control of affected systems to an outside entity. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  4. activecritical

    Malware in mci-sdk

    Malware discovered in the npm package mci-sdk. Any computer with this package installed or running should be considered fully compromised. All secrets and keys must be rotated immediately from a different computer.

    npmCompromised package