“The malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script,” Karlo Zanki, security researcher at ReversingLabs, said in a report shared with The Hacker News.