An unidentified threat actor deploys malicious NPM packets.
N2K logoSep 23, 2022

In another instance of a software supply chain attack, ReversingLabs researchers outline the placement of a malicious NPM package in a widely used components library.

An unidentified threat actor deploys malicious NPM packets.

ReversingLabs discovered a malicious NPM package posing as Material Tailwind, a components library for Tailwind CSS and Material Design. 

“These types of software supply chain attacks can be spotted almost daily now. In most of these cases, the malware in question is fairly simple Javascript code that is rarely even obfuscated. Sophisticated multistage malware samples like Material Tailwind are still a rare find. 

“In this case the complexity of the malware tactics leads to a conclusion that sophisticated actors could be behind this attack. For now, our analysis of the situation tells us that Material Tailwind’s stage two payload can be classified as a fully functional Trojan malware. It uses a lot of techniques to complicate reverse engineering. Additionally, IP redirection using a file hosted on a legitimate service like Google Drive is also performed before the communication with the actual C2 server.”

The researchers add that the threat actor “did quite a good job at making the package description as convincing as possible.... The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind. The malicious package also successfully implements all of the functionality provided by the original package.”

ReversingLabs' researchers situate the campaign in the larger context of software supply chain attacks. This case is another instance in what's become a rising trend of such attacks.