Malicious NPM Package Caught Mimicking Tailwind CSS Package Material

Malicious NPM package

A malicious NPM package disguised as a legitimate software library has been found for Material Tailwind, again indicating attempts by threat actors to distribute malicious code in open source software repositories.

Material Tailwind is a CSS-based framework advertised by its maintainers as an “easy-to-use component library for Tailwind CSS and Material Design”.

“The Material Tailwind npm malicious package, while masquerading as a useful development tool, has an automated post-install script,” said Karlo Zanki, a security researcher at ReversingLabs, in a report shared with The Hacker News.

cyber security

This script is designed to download a password protected ZIP file containing a Windows executable capable of running PowerShell scripts.

The unauthorized package, named material-tailwindcss, has been downloaded 320 times to date, all on or after September 15, 2022.

In a tactic that is becoming increasingly common, the threat actor appears to have taken great care to mimic the functionality provided by the original package, while stealthily using a post-install script to introduce the malicious features.

This takes the form of a ZIP file retrieved from a remote server that embeds a Windows binary, given the name “DiagnosticsHub.exe”, likely in an attempt to pass off the payload as a diagnostic utility.

Malicious NPM package
Code for stage 2 download

Packaged within the executable are Powershell code snippets responsible for command and control, communication, process manipulation, and establishing persistence via a scheduled task.

The typoed Material Tailwind module is the latest in a long line of attacks targeting open source software repositories such as npm, PyPI, and RubyGems in recent years.

cyber security

The attack also serves to highlight the software supply chain as an attack surface, which has risen to prominence due to the cascading impact attackers can have by distributing malicious code that can wreak havoc across multiple platforms and enterprise environments at once. .

Supply chain threats have also prompted the US government to issue a memorandum directing federal agencies to “use only software that meets secure software development standards” and obtain “self-certification for all third party software.

“Ensuring software integrity is key to protecting federal systems from threats and vulnerabilities and reducing the overall risk of cyberattacks,” the White House said last week.

Leave a Comment