When an unsuspecting developer installs such a package deal, a post-install script triggers and reaches out to a staging endpoint hosted on Vercel. That endpoint in flip delivers a reside payload fetched from a threat-actor managed GitHub account named “stardev0914”. From there the payload, a variant of OtterCookie that additionally folds in capabilities from the marketing campaign’s different signature payload, BeaverTail, executes and establishes a distant connection to the attackers’ management server. The malware then silently harvests credentials, crypto-wallet information, browser profiles and extra.
“Tracing the malicious npm package deal tailwind-magic led us to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app,and from there to the risk actor managed GitHub account which contained 18 repositories,” Socket’s senior risk intelligence analyst Kirill Boychenko stated in a weblog submit, crediting associated analysis by Kieran Miyamoto that helped affirm the malicious GitHub account stardev0914.
A ‘full stack’adversary: GitHub, Vercel, and NPM
What makes this marketing campaign stand out is the layered infrastructure behind it. Socket’s evaluation traced not simply the NPM packages but additionally how the attackers constructed an entire supply pipeline: malware serving repositories on GitHub, staging servers on Vercel, and separate C2 servers for exfiltration and distant command execution.
