Css attributes

A captured malicious NPM package mimicking Tailwind CSS Package material

A malicious NPM package has been discovered posing as the legitimate software library for Material Tailwind, again indicating attempts by threat actors to distribute malicious code in open source software repositories.

Material Tailwind is a CSS-based framework touted by its maintainers as an “easy-to-use component library for Tailwind CSS and Material Design.”

“The Material Tailwind malicious npm package, while posing as a useful development tool, has an automatic post-installation script,” Karlo Zanki, security researcher at ReversingLabs, said in a report shared with The Hacker News. .

This script is designed to download a password-protected ZIP archive file that contains a Windows executable capable of running PowerShell scripts.

The now-removed rogue package, named material-tailwindcss, has been downloaded 320 times to date, all of which occurred on or after September 15, 2022.

In a tactic that is becoming increasingly common, the threat actor appears to have taken great pains to mimic the functionality provided by the original package, while stealthily using a post-installation script to introduce the malicious functionality. .

This takes the form of a ZIP file fetched from a remote server that embeds a Windows binary, which is given the name “DiagnosticsHub.exe” presumably in an effort to pass off the payload as a diagnostic utility.

Malicious NPM package
Code for step 2 download

The executable contains Powershell code snippets responsible for command and control, communication, manipulating processes, and establishing persistence through a scheduled task.

The typosquatted Material Tailwind module is the latest in a long list of attacks targeting open source software repositories such as npm, PyPI and RubyGems in recent years.

cyber security

The attack also serves to highlight the software supply chain as an attack surface, which has grown in prominence due to the cascading impact attackers can have by distributing malicious code that can wreak havoc on multiple platforms and enterprise environments at once.

Supply chain threats also prompted the U.S. government to issue a memo directing federal agencies to “use only software that meets secure software development standards” and obtain “self-attestation for all third-party software”.

“Ensuring software integrity is critical to protecting federal systems against threats and vulnerabilities and reducing the overall risk of cyberattacks,” the White House said last week.