Getty Images/iStockphoto
Malicious NPM package discovered in supply chain attack
Threat actors are circulating a look-alike version of the Material Tailwind NPM package to infect developers for supply chain malware attacks, according to ReversingLabs.
A developer tool has become the lure for a new supply chain scam aimed at poisoning software packages and causing downstream havoc.
Researchers with ReversingLabs said the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.
Designed for use with Tailwind CSS, the Material Tailwind library is used by developers to build site and application user interfaces. The library has millions of active installations, according to ReversingLabs, making it an attractive target for threat actors looking to infect developers in hopes of pulling off a supply chain attack.
In this case, the ReversingLabs team found that the look-alike library had been pitched to catch unwary developers who might accidentally pick the wrong library to add to their project.
"The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind," wrote Karlo Zanki, reverse engineer at ReversingLabs, in a blog post Friday. "The malicious package also successfully implements all of the functionality provided by the original package."
ReversingLabs told TechTarget Editorial that the attackers don't seem to be targeting any specific industry or sector, but rather have opted to cast as wide a net as possible by impersonating a popular library.
Zanki noted that the NPM package itself contained some unique tricks, such as obfuscated code -- an apparent effort to thwart security tools or analysis by developers. Once installed, the fake library executes JavaScript code that pulls down additional components capable of performing tasks such as file system access, encryption and network operations.
Ultimately, the researchers found, the phony library ends up downloading and executing a malicious application to perform various tasks on the host machine.
The find is just the latest in a growing trend for threat actors in targeting NPM and other dependency repositories.
As the modules are popular with developers, and are often downloaded and executed unchecked, a successful attack could allow cybercriminals to not only compromise the developer's system, but also those of end users who in turn download and run the application.
Zanki said that while the Material Tailwind look-alike is more sophisticated and complex than many other attacks, it uses tactics that are increasingly common.
"These types of software supply chain attacks can be spotted almost daily now. In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated," Zanki wrote.
"Given the advanced nature of this malicious package and the fact that it is imitating widely used software development libraries, it is safe to assume that threat actors feel emboldened to continue taking advantage of open source repositories," he concluded.