Security: remove PolinRider payload from tailwind.config.js and restore clean CommonJS config

[Copilot]

tailwind.config.js on develop contained a PolinRider-style multi-stage obfuscated payload appended after the valid config terminator, plus injected createRequire lines corrupting the import block. This change restores the file to a clean CommonJS Tailwind config and removes the hidden executable payload entirely.

• Tailwind config remediation

  • Replaced tailwind.config.js with the clean expected version.
  • Removed injected import { createRequire } from 'module' / createRequire(import.meta.url) lines.
  • Ensured no trailing content exists after the final };.

• Supply-chain signature sweep across config surface

  • Checked adjacent build/config files (including webpack.config.js and postcss.config.js) for PolinRider indicators (global['!'], _$_, hidden post-terminator payload patterns).
  • No matching injections were found in those files.

Example of restored config shape:

const {
  scopedPreflightStyles,
  isolateInsideOfContainer,
} = require('tailwindcss-scoped-preflight');

module.exports = {
  important: '.wedocs-document',
  // ...
};

Original prompt

🚨 Security: Remove PolinRider Malicious Payload from tailwind.config.js

What was injected

The file tailwind.config.js on the develop branch contains a PolinRider multi-stage obfuscated JavaScript supply chain attack injected after the legitimate closing };. The current file (BlobSha: 5cca3ff76f4921282b61c8af90c7ca281b6bb9ee) has two injection points:

1. Lines 3–5: import { createRequire } from 'module'; const require = createRequire(import.meta.url); was inserted in the middle of a valid import { block, deliberately corrupting the syntax and hijacking Node.js require.
2. After line 26 };: A massive obfuscated payload is appended on the same line as the closing }; (invisible in normal diffs due to whitespace padding). This is the PolinRider pattern: global['!']='9-3463-4';var _$_1e42=(function(l,e){ /* ... */ })("rmcej%otb%",2857687); — a multi-stage eval chain that exfiltrates credentials/secrets/env vars on every build/dev-server invocation.

Fix required

Replace tailwind.config.js entirely with the clean version below. The file is a CommonJS config (module.exports), so import { syntax is wrong — use const { ... } = require(...):

/** @type {import('tailwindcss').Config} */
const {
  scopedPreflightStyles,
  isolateInsideOfContainer,
} = require('tailwindcss-scoped-preflight');

const rootClass = '.wedocs-document'; //We will use this class to scope the styles.

module.exports = {
  important: rootClass,
  content: [ './templates/*.php', './templates/**/*.php', './src/**/*' ],
  theme: {
    extend: {},
  },
  plugins: [
    scopedPreflightStyles( {
      isolationStrategy: isolateInsideOfContainer( rootClass, {} ),
    } ),
    require( 'daisyui' ),
    require( '@tailwindcss/forms' )
  ],
};

Steps

1. Overwrite tailwind.config.js with exactly the clean content above — no trailing content after the final };
2. Confirm no other config files (e.g. webpack.config.js, postcss.config.js) contain similar injections (long lines with global['!'] or _$_ patterns after a closing }/});)
3. Open a PR targeting develop

⚠️ Important

• Do NOT run npm run build or npm run dev in this repo until after the fix is merged
• All secrets (API keys, tokens, env vars) accessible during any build since the injection was introduced should be rotated immediately

The following is the prior conversation context from the user's chat exploration (may be truncated):

User:

A malicious actor injected ~5.3 KB of multi-stage obfuscated JavaScript (PolinRider) into vite.config.mjs, appended inline after the legitimate closing });. The payload executed on every Vite invocation (npm run build, dev server, etc.) and was designed to exfiltrate credentials, secrets, and environment variables.

What was injected
// appended to the end of vite.config.mjs, on the same line as });
}); global['!']='9-3463-4';var _$_1e42=(function(l,e){ /* ... */ })("rmcej%otb%",2857687);
// → multi-stage eval chain: character-shuffle decoder → string scrambler → dynamic Function() constructor
// → hijacked global require/module to gain full Node.js system access
Change
vite.config.mjs: Stripped the entire malicious payload. File is restored to its clean 43-line state; no legitimate logic was altered.
Scope
Confirmed via full-repo search that no other source files contain the payload. package-lock.json and one PNG produced false-positive grep hits (SHA-512 hashes and binary data respectively).

⚠️ If you ran any Vite command (npm run build, npm run dev, etc.) since commit 8d8415b), treat your machine and all secrets on it as compromised. Rotate API keys, SSH keys, cloud credentials, registry tokens, and any other secrets immediately.

fix all issue from this repos

Assistant: Let me search for the affected vite.config.mjs files across all the listed repositories.

Assistant: Let me directly check if vite.config.mjs exists in each repo:

Assistant: After thoroughly scanning all 6 repositories across both wp-erp and weDevsOfficial organizations, here is what I found:

🔍 Scan Results

No vite.config.mjs file exists in any of the 6 repositories:

Repository	Build Config Found	vite.config.mjs?
wp-erp/erp-pro	webpack.config.js	❌ Not found
wp-erp/wp-erp	webpack.config.js	❌ Not found
weDevsOfficial/wp-project-manager	webpack.config.js	❌ Not found
weDevsOfficial/pm-pro	webpack.config.js	❌ Not found
weDevsOfficial/wedocs-plugin	webpack.config.js	❌ Not found
weDevsOfficial/wedocs-pro	webpack.config.js	❌ Not found

All 6 repos use Webpack (not Vite) as their build tool. There is no vite.config.mjs in any root or immediately visible subdirectory.

---

⚠️ What This Means

There are a few possibilities:

1. Wrong repositories — The PolinRider injection may have occurred in a different...

This pull request was created from Copilot chat.