Branded as a components library for two popular open source resources, Material Tailwind instead loads a Windows .exe that can run PowerShell scripts.

5 Min Read
red npm logo printed on paper
Source: Araki Illustrations via Alamy Stock Photo

A malicious package in the npm open source code repository is hitching a social engineering ride on the "Tailwind" legitimate software library tool, which millions of application developers use around the globe. The finding comes as threat actors continue to see opportunity in seeding open source software with malware.

Threat actors are branding the malicious package as "Material Tailwind," describing it as "an easy-to-use components library for Tailwind CSS and Material Design," two commonly used open source libraries that have millions of downloads each, researchers from ReversingLabs have found.

Tailwind is as an open source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects. Both "are recognizable names and massively popular libraries among developers," according to the firm.

However, Material Tailwind is not helpful to developers at all, researchers revealed in a post published on Sept. 22. It instead delivers a multistage attack — rare for this type of malware — that downloads a malicious, custom-packed Windows executable capable of running PowerShell scripts.

"In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated," Karlo Zanki, reverse engineer at ReversingLabs, observed in the post. "Sophisticated multistage malware samples like Material Tailwind are still a rare find."

Researchers at ReversingLabs detected the malicious behavior because the purported library modification contained code obfuscated with JavaScript Obfuscator. Moreover, while the description of the package seemed legitimate enough, closer inspection revealed that it was copied from another npm package named tailwindcss-stimulus-components, they said, which the threat actors then Trojanized.

"The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind," Zanki wrote. "The malicious package also successfully implements all of the functionality provided by the original package."

How the Attack Works

ReversingLabs researchers analyzed Material Tailwind in detail by de-obfuscating the suspicious script, executes immediately after the package is installed — behavior that is in and of itself "a (big) red flag" for threat researchers, Zanki noted.

Once the package installs, the module first sends a POST request with platform information to a specific IP address to validate that it's being executed on a Win32 system. If so, it constructs a download link containing the type of the operating system, and it also adds a parameter likely used to validate that the download request is coming from the victim's machine, researchers found.

A password-protected .zip archive named DiagnosticsLogger.zip is downloaded, which contains a single file, named DiagnosticsHub.exe, likely to disguise the payload as some kind of diagnostic tool, Zanki noted. Attackers probably use password protection to avoid basic antivirus checks as well, he said.

Finally, the script spawns a child process that executes the downloaded file, a custom-packed, Windows executable that uses several protections aimed at making it difficult to analyze, Zanki said.

Packed information includes several PowerShell code snippets responsible for command and control, communication, and process manipulation, researchers found. The malware achieves persistence by executing a Base64-encoded PowerShell command, which sets up a scheduled task to be executed daily.

A stage-two process of the malicious code fetches an XOR-encrypted and Base64-encoded file from a public Google Drive link or, in the case that the link can't be accessed, from one or the other of two alternative download locations — one at GitHub and another one at OneDrive, researchers found.

At the time of publication, the encrypted file contains a single IP address, which is the location of its command-and-control server from which the malware receives encrypted instructions using a dedicated socket connection, they added.

Weaponizing Open Source Code

Open source software and npm packages in particular have become a target of choice for threat actors lately because they can easily be weaponized against the software supply chain. In fact, planting malware in open source code is one of the fastest-growing types of software supply chain attacks "being spotted almost daily now," according to Zanki.

These types of attacks also are forcing enterprises to pivot when it comes to how they secure their environments, notes Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

"Up until recently, organizations only had to contend with the security vulnerabilities in their applications that were unintentionally inherited through open source components and their dependencies — which wasn’t a trivial task to begin with," he says. "Now, attackers are baiting organizations into using open source packages that were modified with malicious intent."

Npm packages are an attractive conduit for software supply chain attacks "in part due to the sheer volume of open source components and dependencies typically used to build NodeJS applications," he observed.

These dependencies indeed are increasing the security risks for enterprises, presently a considerable challenge in how quickly problems throughout resources can multiply, notes Ben Pick, principal cybersecurity consultant at application security provider nVisium.

"Thus, an attacker would only need to target and compromise one of the many open source projects in a pipeline to cause considerable harm," he observes.

Software Supply Chain: Multiple Cyberattack Options

Attackers that leverage npm packages are getting creative in how they use the open source repositories.

A report published in February identified more than 1,300 malicious npm packages in 2021 that allowed attackers to get up to a number of nefarious activities, including cryptojacking and data theft. In terms of tricking people into installing them, some packages masquerade as tools for security research, researchers found.

Two examples of recent attacks in which attackers leverage npm packages surfaced in July. The first, reported on July 5, revealed a long-range supply chain attack after several packages using a JavaScript obfuscator to hide their true function were discovered in April.

In another, reported on July 29, attackers used four npm packages containing highly obfuscated malicious Python and JavaScript code to spread the "Volt Stealer" and "Lofy Stealer" malware to collect information from their victims, including Discord tokens and credit-card information, as well as spy on them over time.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights