Malicious NPM package discovered in supply chain attack


A development tool has become the lure of a new supply chain scam aimed at poisoning software packages and wreaking havoc downstream.

ReversingLabs researchers said the Material Tailwind library was spoofed for an apparent supply chain attack targeting developers. The team spotted a similar npm package floating around the repositories, intended to trick unwitting developers into using the package instead of the real library.

Designed for use with Tailwind CSS, the Material Tailwind library is used by developers to create site and application user interfaces. The library has millions of active installs, according to ReversingLabs, making it an attractive target for threat actors looking to infect developers in hopes of pulling off a supply chain attack.

In this case, the ReversingLabs team discovered that the lookalike library was launched to catch careless developers who might accidentally choose the wrong library to add to their project.

“The threat actor took special care to modify all text and code snippets to change the name of the original package to Material Tailwind,” Karlo Zanki, reverse engineer at ReversingLabs, wrote in a blog post Friday. “The malicious package also successfully implements all functionality provided by the original package.”

ReversingLabs told TechTarget Editorial that the attackers do not appear to be targeting a specific industry or sector, but instead chose to cast as wide a net as possible by impersonating a popular library.

Zanki noted that the NPM package itself contained unique tricks, such as obfuscated code — an apparent effort to thwart security tools or developer analysis. Once installed, the fake library runs JavaScript code that extracts additional components capable of performing tasks such as file system access, encryption, and network operations.

In the end, the researchers discovered that the fake library ends up downloading and executing a malicious application to perform various tasks on the host machine.

This finding is just the latest in a growing trend of threat actors targeting NPM and other dependency repositories.

As add-ons are popular with developers and are often downloaded and run unchecked, a successful attack could allow cybercriminals to not only compromise the developer’s system, but also those of end users who in turn download and run the application.

Zanki said that while the Material Tailwind doppelganger is more sophisticated and complex than many other attacks, it uses increasingly common tactics.

“These types of software supply chain attacks can now be spotted almost daily. In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated,” Zanki wrote.

“Given the advanced nature of this malicious package and the fact that it mimics widely used software development libraries, it is safe to assume that threat actors feel encouraged to continue leveraging open source repositories. “, he concluded.


About Author

Comments are closed.