Malicious npm package poses as a Tailwind tool


A malicious package in the npm open source code repository is social engineering a hit on the legitimate software library tool “Tailwind”, which is used by millions of app developers worldwide. The finding comes as threat actors continue to see an opportunity to seed open-source software with malware.

Threat actors refer to the malicious package as “Material Tailwind”, describing it as “an easy-to-use component library for Tailwind CSS and Material Design”, two commonly used open-source libraries that each have millions of downloads, said researchers from ReversingLabs. found.

Tailwind is an open-source CSS framework that does not provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects. Both “are recognizable names and massively popular libraries among developers,” according to the firm.

However, Material Tailwind is not at all useful for developers, researchers have revealed in a post published on September 22. Instead, it delivers a multi-step attack – rare for this type of malware – that downloads a malicious, custom Windows executable capable of executing PowerShell scripts.

“In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated,” Karlo Zanki, reverse engineer at ReversingLabs, observed in the post. “Samples of sophisticated multi-stage malware like Material Tailwind are still rare.”

ReversingLabs researchers detected the malicious behavior because the alleged library modification contained code obfuscated with JavaScript Obfuscator. Also, while the package description looked quite legit, further inspection revealed that it was copied from another npm package named tailwindcss-stimulus-componentsthey said, which threat actors then turned into Trojans.

“The threat actor took special care in modifying all text and code snippets to change the name of the original package to Material Tailwind,” Zanki wrote. “The malicious package also successfully implements all functionality provided by the original package.”

How the Attack Works

ReversingLabs researchers analyzed Material Tailwind in detail by de-obfuscating the suspicious script, which runs immediately after the package is installed – a behavior that in itself is “a (big) red flag” for threat researchers, said. noted Zanki.

After the package is installed, the module first sends a POST request with platform information to a specific IP address to validate its execution on a Win32 system. If so, it constructs a download link containing the operating system type and also adds a parameter that could be used to validate that the download request originated from the victim’s machine, the researchers found.

A password-protected .zip archive named is downloaded, which contains a single file, named DiagnosticsHub.exe, that may disguise the payload as some sort of diagnostic tool, Zanki noted. Attackers are likely using password protection to avoid basic virus checks as well, he said.

Finally, the script spawns a child process that runs the downloaded file, a custom Windows executable that uses several protections aimed at making it difficult to parse, Zanki said.

The packaged information includes several PowerShell code snippets responsible for command and control, communication and process manipulation, the researchers found. The malware achieves persistence by running a Base64-encoded PowerShell command, which sets up a scheduled task to run daily.

A second-stage process of the malicious code retrieves an XOR-encrypted and Base64-encoded file from a public Google Drive link or, in case the link is not accessible, from either of two alternative download locations – one on GitHub and another on OneDrive, the researchers found.

At the time of publication, the encrypted file contains a single IP address, which is the location of its command and control server from which the malware receives encrypted instructions using a dedicated socket connection, have they added.

Arm open source code

Open source software and npm packages in particular have become a prime target for threat actors lately, as they can easily be used as weapons against the software supply chain. In fact, implanting malware in open source code is one of the fastest growing types of software supply chain attacks “now being spotted almost daily,” according to Zanki.

These types of attacks are also forcing organizations to reorient how they secure their environments, notes Tim Mackey, senior security strategist at Synopsys Cybersecurity Research Center.

“Until recently, companies only had to deal with security vulnerabilities in their applications that were unintentionally inherited from open source components and their dependencies, which was not a trivial task to begin with,” says -he. “Now attackers trick organizations into using open source packages that have been modified with malicious intent.”

Npm packages are an attractive channel for software supply chain attacks “partly due to the sheer volume of open source components and dependencies typically used to build NodeJS applications,” he observed.

These dependencies indeed increase security risks for enterprises, which currently presents a considerable challenge in how quickly problems within resources can multiply, notes Ben Pick, principal cybersecurity consultant at the application security provider nVisium.

“So an attacker would only have to target and compromise one of many open source projects in a pipeline to cause massive damage,” he observes.

Software supply chain: several cyberattack options

Attackers exploiting npm packages are getting creative in how they use open source repositories.

A report published in February identified over 1,300 malicious npm packages in 2021 that enabled attackers to engage in a number of nefarious activities, including cryptojacking and data theft. To trick people into installing them, some packages pose as security research tools, researchers have found.

Two examples of recent attacks in which attackers exploit npm packages surfaced in July. The first one, announced July 5revealed a long-range supply chain attack after several packages were discovered using a JavaScript obfuscator to mask their true function in April.

In another, reported on July 29, attackers used four npm packages containing highly obfuscated malicious Python and JavaScript code to spread “Volt Stealer” and “Lofy Stealer” malware to collect information from their victims, including Discord tokens and credit card information, as well as spy over time.

You may also like

Leave a Comment

About Us

Times Global Will keep you updated To the Latest News Around The Globe..

Feature Posts


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Subscribe To our Newsletter

Join our subscribers list and get Latest News directly to your inbox.