Malicious npm Package Poses as Tailwind Tool

A malicious package in the npms open source repository is heading for a social engineering ride on the “Tailwind” legitimate software library tool used by millions of application developers around the globe. The finding comes as threat actors continue to see opportunities in seeding open source software with malware.

Threat actors brand the malicious package as “Material Tailwind,” and describe it as “an easy-to-use component library for Tailwind CSS and Material Design,” two commonly used open source libraries that each have millions of downloads, researchers from ReversingLabs have found.

Tailwind is like an open source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects. Both “are recognizable names and massively popular libraries among developers,” according to the company.

However, Material Tailwind is not at all useful for developers, researchers revealed in a post published on September 22. Instead, it delivers a multi-stage attack – rare for this type of malware – that downloads a malicious, specially packaged Windows executable capable of running PowerShell scripts.

“In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated,” noted Karlo Zanki, reverse engineer at ReversingLabs, in the post. “Sophisticated multi-stage malware samples like Material Tailwind are still a rare find.”

Researchers at ReversingLabs discovered the malicious behavior because the alleged library change contained code obfuscated with the JavaScript Obfuscator. Also, while the description of the package seemed legitimate enough, closer inspection revealed that it was copied from another npm package named tailwindcss-stimulus-components, they said, which the threat actors then trojanized.

“The threat actor took particular care to change the entire text and code snippets to replace the name of the original package with Material Tailwind,” Zanki wrote. “The malicious package also implements all the functionality provided by the original package.”

How the attack works

ReversingLabs researchers analyzed Material Tailwind in detail by de-obfuscating the suspicious script that executes immediately after the package is installed — behavior that itself is “a (big) red flag” for threat researchers, Zanki noted.

After the package is installed, the module first sends a POST request with platform information to a specific IP address to validate that it is running on a Win32 system. If so, it constructs a download link containing the type of operating system, and it also adds a parameter likely used to validate that the download request is coming from the victim’s machine, researchers found.

A password-protected .zip archive named is downloaded, which contains a single file, called DiagnosticsHub.exe, which will likely disguise the payload as some kind of diagnostic tool, Zanki noted. Attackers are also likely to use password protection to avoid basic antivirus checks, he said.

Finally, the script spawns a child process that executes the downloaded file, a specially packaged Windows executable that uses several protections intended to make it difficult to analyze, Zanki said.

Packaged information includes several PowerShell code snippets responsible for command and control, communication and process manipulation, researchers found. The malware achieves persistence by executing a Base64-encoded PowerShell command that sets up a scheduled task to run daily.

A phase-two process of the malicious code retrieves an XOR-encrypted and Base64-encoded file from a public Google Drive link or, in the event that the link cannot be accessed, from one or the other of two alternative download locations — one at GitHub and another at OneDrive, researchers found.

At the time of publication, the encrypted file contains a single IP address, which is the location of its command-and-control server, from which the malware receives encrypted instructions using a dedicated socket connection, they added.

Weaponizing Open Source Code

In particular, open source software and npm packages have become a favorite target for threat actors recently because they can be easily weaponized against the software supply chain. In fact, planting open-source malware is one of the fastest-growing types of software supply chain attacks “being discovered almost daily now,” according to Zanki.

These types of attacks are also forcing companies to pivot when it comes to how they secure their environments, notes Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center.

“Until recently, organizations only had to contend with the security vulnerabilities in their applications that were inadvertently inherited through open source components and their dependencies – which was not a trivial task to begin with,” he says. “Now attackers are luring organizations into using open source packages that were modified with malicious intent.”

Npm packages are an attractive conduit for software supply chain attacks “in part because of the large amount of open source components and dependencies typically used to build NodeJS applications,” he noted.

These dependencies actually increase security risks for businesses, which is currently a significant challenge in terms of how quickly problems can multiply across resources, notes Ben Pick, principal cybersecurity consultant at application security provider nVisium.

“Thus, an attacker only needs to target and compromise one of the many open source projects in a pipeline to cause significant damage,” he notes.

Software Supply Chain: More Opportunities for Cyber ​​Attacks

Attackers exploiting npm packages get creative in how they use the open source repositories.

A report published in February identified more than 1,300 malicious npm packages in 2021 that allowed attackers to get up to a variety of innocuous activities, including cryptojacking and data theft. As for tricking people into installing them, some packages disguise themselves as security research tools, researchers found.

Two examples of recent attacks where attackers exploit npm packages appeared in July. The first, reported on July 5, exposed a wide range of supply chain attacks after several packages that used a JavaScript obfuscator to hide their true function were discovered in April.

In another, reported on July 29, attackers used four npm packages containing highly obfuscated malicious Python and JavaScript code to spread the “Volt Stealer” and “Lofy Stealer” malware to collect information from their victims, including Discord- tokens and credit card information, as well as spying on them over time.


Leave a Reply

Your email address will not be published.