Threat analysis: Malicious npm package mimics Material Tailwind CSS tool

Two sentences summarizing the article: ReversingLabs details a malicious npm package masquerading as Material Tailwind that installs via a postinstall script to download a password-protected ZIP containing a Windows executable. The campaign employs obfuscated code, multi‑stage deliverables across Windows and macOS, and anti-analysis techniques to persist and reach a C2 server. #MaterialTailwind #material-tailwindcss #IconBurst #ReversingLabs #TitaniumPlatform #LaunchAgents #CoreSimulator #GoogleDrive #GitHub #OneDrive

Keypoints

The npm package material-tailwindcss masquerades as Material Tailwind, a popular Tailwind/Materal Design library, and includes a postinstall script that downloads a malicious payload.
The package description is not legitimate; it’s copied and modified from tailwindcss-stimulus-components to appear convincing while carrying malicious functionality.
Obfuscated JavaScript is used inside the package (via JavaScript Obfuscator), triggering suspicion and enabling the attacker to hide behavior.
Postinstall execution downloads DiagnosticsLogger.zip containing DiagnosticsHub.exe (Windows), with the ZIP password “J##$dj%qvvV89,” likely to dodge basic AV checks.
On Windows, the downloaded EXE uses a custom runtime packer, long sleep delays, sandbox/internet checks, and PowerShell-based and C2-focused behavior to control the infected host.
Stage 2 fetches a XOR-encrypted and base64-encoded file from Google Drive (with GitHub and OneDrive as fallbacks), decrypts it, and communicates with a C2 server to receive commands (e.g., directory listing).
On macOS, a Mach-O payload is delivered that persists via Launch Agents, fetches stage 2 payloads via curl from multiple sources, and executes them through a shell (sh).
The campaign illustrates a trend of imposter npm packages carrying multi-stage malware, highlighting supply-chain risk and the need for behavior-based monitoring.

MITRE Techniques

[T1059.001] PowerShell – The base64-encoded Powershell command creates a scheduled task for daily persistence. Quote: “Persistence is achieved by executing a base64 encoded Powershell command which sets up a scheduled task to be executed daily.”
[T1105] Ingress Tool Transfer – The stage 2 download fetches a XOR encrypted and base64 encoded file from Google Drive, with GitHub and OneDrive as fallbacks. Quote: “At stage 2, the malware fetches a XOR encrypted and base64 encoded file from a public Google Drive link.”
[T1027] Obfuscated/Compressed Files and Information – The package contains obfuscated code used to hide behavior. Quote: “the list of imported modules already looks suspicious. It contains modules for file system operations, encryption, network communication, archive decompression and process manipulation.”
[T1547.003] Launch Agents – Persistence on macOS is achieved by creating LaunchAgents. Quote: “Persistence is achieved by creating LaunchAgents, a technique typical for macOS malware.”
[T1053.005] Scheduled Task – Windows stage 2 involves creating a scheduled task for persistence via PowerShell. Quote: “creates a scheduled task to be executed daily.”
[T1071.001] Web Protocols – The malware communicates with a C2 server and uses HTTP-like fetch/command patterns. Quote: “the C2 server responded with a command indicating that the status of the victims machine wasn’t initialized, which triggered execution of a Powershell command.”
[T1497] Virtualization/Sandbox Evasion – The Windows executable checks for sandbox conditions to avoid analysis. Quote: “tries to contact trustworthy domains like google.com to verify that it has internet access, and detect if it is executing in a sandboxed environment.”
[T1036] Masquerading – The malicious package description is copied and modified to resemble legitimate packages. Quote: “The malicious package also successfully implements all of the functionality provided by the original package.”

Indicators of Compromise

[IP Address] – 85.239.54.17, 135.125.137.220, 46.249.58.140:13338. Context: IPs used for C2 or download infrastructure.
[Domain] – google.com, drive.google.com, raw.githubusercontent.com, github.com, onedrive.live.com. Context: domains involved in download/command and control and hosting drop sources.
[File Hash] – 466ed2f97d127e91ce29d79cd05dbedbe04c5c07, faab8d9ad58d383ab895ff98bc215b497e78a89c, dbd157edaa3f76d14f2bb2c2d81bab33db147f44, cf27558d19b8f7311f48d95ad2f4c24972939929, 98e37967dbd6ed93ea9e93dbe9617da8770e60c8, c913e33c245dd7257ea671b9ec5f97b65c110371. Context: stage 1 package/version/build hashes and assets.
[File Hash] – 81977085079d5629cd9a932055273ed38a7ce87b and e21f62e59bdb08e612065569f169cd5967987d88. Context: ZIP archive password-protected payloads.
[File Hash] – 748a67a4276a7547f2413c14b7de7f76342038ef, 09ecdcc7abd426204ba8d494ce1a6431a5d0d6b9. Context: Stage 2 PE payloads.
[File Hash] – 9915c952ce178eaac65912d4f94cc966840e59eb, d6958efce576ac790d3a053988060ff3da92b5e5, 3f13b5fcde0a0451221f2d96322857e99d490406. Context: Mach-O stage 2 payloads.
[Archive Password] – J##$dj%qvvV89. Context: password protecting DiagnosticsLogger.zip.
[URL] – https://drive.google.com/uc?export=download&id=1eaFJYy0cLLONFaMDKMUmcU6Js0jG5p8r, https://raw.githubusercontent.com/jfrank4512/Mdam/main/test.txt. Context: stage 2 download sources.
[Archive] – DiagnosticsLogger.zip, DiagnosticsHub.exe. Context: files inside the stage 1 ZIP and Windows payload.