I found North Korean (DPRK) malware hiding in my tailwind.config.js
I almost closed the file without reading it. Three days later I was killing processes in production 2026-7-4 04:24:18 Author: infosecwriteups.com(查看原文) 阅读量:9 收藏

Couch Potato

I almost closed the file without reading it. Three days later I was killing processes in production at 2am, rotating every credential I own, and staring at a git commit with my name on it that I never made. If you’ve got an active Node project, you’ll probably want to check it before you finish reading this.

This wasn’t package.json or something deep in node_modules. It was tailwind.config.js. The file you touch once, when you’re setting up the project, figuring out whether your primary color is blue-600 or blue-700 . Then you never open it again. Half of us didn’t even write ours, it got spat out by create-next-app or a starter template and we never looked twice.

I wasn’t even looking for anything wrong. I was just copying my old color tokens into a fresh tailwind.config.js file. Except the paste took a second too long. Five lines of config shouldn’t lag a clipboard. Huh? I scrolled down to see what I’d actually copied, Nothing obvious. Then I diffed it online and discovered a wall of obfuscated code hidden after hundreds of empty spaces, like someone wanted you to stop scrolling before you ever saw it.

That shouldn’t be there.

Obfuscated. On purpose. By someone.

/** @type {import('tailwindcss').Config} */
module.exports = {
content…

文章来源: https://infosecwriteups.com/i-found-north-korean-dprk-malware-hiding-in-my-tailwind-config-js-45af2283742c?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh