Security News > 2022 > September > Malicious NPM Package Caught Mimicking Material Tailwind CSS Package

A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories.

Material Tailwind is a CSS-based framework advertised by its maintainers as an "Easy to use components library for Tailwind CSS and Material Design."

"The malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script," Karlo Zanki, security researcher at ReversingLabs, said in a report shared with The Hacker News.

The typosquatted Material Tailwind module is the latest in a long list of attacks targeting open source software repositories like npm, PyPI, and RubyGems in recent years.

The attack also serves to highlight the software supply chain as an attack surface, which has risen in prominence owing to the cascading impact attackers can have by distributing malicious code that can wreak havoc across multiple platforms and enterprise environments in one go.

The supply chain threats have also prompted the U.S. government to publish a memo directing federal agencies to "Use only software that complies with secure software development standards" and obtain "Self-attestation for all third-party software."

News URL

https://thehackernews.com/2022/09/malicious-npm-package-caught-mimicking.html