North Korean Malware Lurks in Plain Sight Inside Developers’ Tailwind Config Files

A developer found North Korean malware hidden after whitespace in tailwind.config.js. The obfuscated code phoned home to blockchain APIs and spawned persistent processes. This incident reflects a broader Contagious Interview campaign that has poisoned hundreds of npm packages and legitimate repositories to steal credentials and crypto assets.
North Korean Malware Lurks in Plain Sight Inside Developers’ Tailwind Config Files
Written by Dave Ritchie

A developer sat down to tweak color tokens in a fresh Tailwind configuration. The paste felt sluggish. Seconds later the file revealed hundreds of blank lines followed by a dense block of scrambled JavaScript. That single observation triggered a frantic night of process kills, credential rotations and repository audits. The code belonged to a North Korean operation that has quietly poisoned build tools and open-source packages for years.

The piece published by Infosec Writeups on June 21, 2026, recounts the moment the author, writing under the name Couch Potato, spotted the anomaly. “I was just copying my old color tokens into a fresh tailwind.config.js file. Except the paste took a second too long,” the author wrote. Scrolling exposed obfuscated code hidden after whitespace. Standard antivirus tools raised no alerts. The configuration file, touched once during project setup and then ignored, had become the perfect hiding place.

But this was no isolated glitch. The same pattern appears across multiple repositories and malicious npm packages. Researchers at Socket documented how North Korean actors tied to the Contagious Interview campaign pushed at least 197 additional malicious packages after October 2025. Those packages racked up more than 31,000 downloads before many were removed. Several carried names designed to mimic legitimate utilities: tailwind-magic, node-tailwind, tailwind-node. One, tailwind-magic version 3.3.1, acted as a typosquatted clone of the popular tailwind-merge library. A postinstall script fetched fresh JavaScript from a Vercel-hosted endpoint and executed it with eval. The infrastructure traced back to a GitHub account named stardev0914 that controlled 18 repositories serving both lures and loaders.

The malware itself follows a familiar script for these actors. It begins with heavy obfuscation. Multiple layers of string shuffling, seeded array rotation and hex encoding conceal the logic. One signature string, “rmcej%otb%”, paired with a large integer seed, appears in variants that inject into config files such as tailwind.config.js, postcss.config.mjs and eslint.config.mjs. Once decoded the code phones home, often to blockchain APIs like api.trongrid.io for TRON network calls or Aptos mainnet nodes. The goal mixes credential theft, wallet draining and persistence. In production environments the payload spawns rogue Node processes that survive restarts and quietly exfiltrate data.

The author of the Infosec Writeups account faced exactly that scenario. Three separate commits under their own name had introduced the code into different projects over the course of a month. Git history showed activity stamped in Pyongyang Standard Time. Six unknown Node processes ran on production servers. The developer spent hours killing processes, rotating every API key and OAuth token, resetting SSH keys and auditing git reflog across every repository. “Assume full compromise of everything on that machine,” the post advised. Daily process monitoring became mandatory afterward.

Attribution points to groups tracked as Void Dokkaebi, also known as Famous Chollima or elements of the broader Lazarus umbrella. These actors have refined their approach since at least 2023. Early efforts relied on fake recruiter messages on LinkedIn that delivered trojanized coding challenges. Developers who accepted fake job interviews downloaded repositories laced with BeaverTail, a JavaScript stealer. The malware harvested browser credentials, cryptocurrency wallet data and system information before dropping a Python-based remote access tool called InvisibleFerret.

By 2025 the campaign expanded into supply-chain attacks at scale. The Hacker News reported in April 2025 that 11 malicious npm packages had been downloaded more than 5,600 times. Packages with names such as cln-logger and consolidate-logger functioned as loaders. They fetched additional JavaScript that deployed a previously undocumented Windows backdoor named Tropidoor. That backdoor operated from memory, issued commands via schtasks and reg, captured screenshots and deleted selected files. South Korean firm AhnLab tied the activity to recruitment-themed phishing that delivered BeaverTail first, then Tropidoor.

Socket’s November 2025 analysis revealed even deeper infrastructure. The tailwind-magic package reached out to tetrismic.vercel.app for payload staging. From there investigators pivoted to the stardev0914 GitHub account. Repositories mixed crypto-themed lures with clean-looking frontend code that imported the malicious loaders. One cloned a Knightsbridge decentralized exchange interface only to wire it to node-tailwind. The threat actors maintained separate command-and-control servers for data collection. OtterCookie, a later evolution that merges traits of BeaverTail and earlier variants, added keylogging, clipboard monitoring, multi-monitor screenshots and recursive filesystem searches for secret files.

Recent incidents show the tactic spreading beyond npm. GitHub community discussions from mid-2025 describe attackers force-pushing malicious code into legitimate repositories. The injected payload appeared at the end of common configuration files after generous whitespace padding. Developers reported the same obfuscation routine and identical function names. In one case an organization saw the malware reappear even after cleaning the repository, suggesting a compromised developer workstation or CI/CD pipeline. Hundreds of GitHub accounts appear to have been compromised in related activity according to OpenSourceMalware researchers tracking a campaign they named PolinRider.

The financial motive remains clear. North Korean operations have stolen billions in cryptocurrency over the past several years. Supply-chain compromises offer a low-risk path to high-value targets. Developers working on DeFi projects, blockchain infrastructure or enterprise applications hold the keys attackers want. A single infected tailwind.config.js can expose production credentials, private keys and internal network access. The code does not need to run during normal development. It activates when build tools import the configuration or when Node starts in production.

Defenders face a stubborn problem. Configuration files rarely receive code review. Teams trust that a tailwind.config.js contains only style presets. Package managers install dependencies without deep inspection of postinstall hooks. Obfuscated JavaScript blends into the noise of modern frontend projects. Even when researchers publish IOCs, new packages and new GitHub accounts appear within days. The Socket team described the activity as a “factory” operation that sustains weekly releases.

Yet the discovery process itself offers lessons. Simple commands like ps aux piped through grep for Node processes can surface anomalies. Searching repositories for long base64 strings or suspicious eval usage in config files turns up the hidden payloads. Git reflog and author timezone checks quickly expose unauthorized commits. The Infosec Writeups author built a small repository of detection scripts after the incident and encouraged others to run them regularly.

The campaign shows no signs of slowing. As recently as March 2026, Google researchers linked North Korean actors to a supply-chain compromise of the Axios HTTP library that affected hundreds of thousands of organizations. That incident followed the same pattern of injecting malicious code into a widely used dependency. Industry reports continue to surface new clusters that blend social engineering with automated package publication.

Developers and security teams alike now confront a reality where the tools they trust most demand constant scrutiny. A config file opened once at project creation can carry silent consequences months later. The code that powers modern web applications has become both the target and the delivery vehicle for state-sponsored theft. And the next infection may already sit inside a repository that looks perfectly ordinary.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us