Feed
HighPublished 26 Jun 20261 package · 2 versions

`tw-style-utils` — SStar Agent cross-platform RAT delivered via Tailwind Typography typosquat

Summary

tw-style-utils masqueraded as a Tailwind CSS typography plugin (99% of its code copied from @tailwindcss/typography) while ~5KB of top-level IIFE downloader code installed SStar Agent, a Windows/macOS RAT with keyboard/clipboard hooks and exfiltration capability. Two versions (0.7.0, 0.7.1) were live on npm from 2026-05-26 17:19 UTC; npm yanked the package and replaced latest with a 0.0.1-security holder on 2026-06-26 05:17 UTC, and GitHub published GHSA-75cr-ggc5-8h7g the same day.

typosquatinfostealercredential-theftcrypto-wallet-drainobfuscation
Detected by
GitHub Advisory Database · gm7.org · CN-SEC
Also known as
SStar Agent · tw-style-utils typosquat
Ecosystems
npm
Packages tracked
1

What happened

On 2026-05-26 at 17:19 UTC, an attacker published tw-style-utils@0.7.0 to npm; a second version 0.7.1 followed at 18:55 UTC the same day. The package presented as a Tailwind CSS typography plugin and copied 99% of its source verbatim from the legitimate @tailwindcss/typography package. The malicious surface was a single ~5KB top-level IIFE downloader hidden inside the otherwise-legitimate code: because it executed on module require/import rather than from a postinstall lifecycle script, npm install --ignore-scripts was no protection, and any developer who simply imported the module to evaluate it in a sandboxed editor session triggered the payload.

The tarball size (~80KB) versus the legitimate plugin's ~10KB was the most obvious authoring tell: the extra ~70KB was the payload and the wrapper that fetched second-stage code. The dropper retrieves and runs SStar Agent, a cross-platform RAT for Windows and macOS that installs keyboard and clipboard hooks, performs file-system surveillance, and exfiltrates to attacker-controlled infrastructure. Reverse-engineering by independent Chinese security researchers (gm7.org / cn-sec) attributes the campaign as overlapping with North Korea-aligned Web3 social-engineering operations consistent with the broader Lazarus / Famous Chollima / BlueNoroff cluster, although no single Western vendor has issued formal attribution.

Distribution: the paired Web3 lure

The npm package was paired with a GitHub repository star45674/smart-contract-engineer-role — a fake take-home assessment for a Web3 / smart-contract engineering role. The repo's package.json lists tw-style-utils as a dependency, so any candidate running npm install to set up the assignment imports the SStar Agent dropper. This is the same lure pattern as the Contagious Interview / Famous Chollima campaigns Socket and Microsoft have repeatedly documented in 2026, where North Korea-aligned operators pose as recruiters and ship malicious npm packages disguised as coding-challenge dependencies.

Disclosure timeline

  • 2026-05-26 17:19 UTCtw-style-utils@0.7.0 published; 0.7.1 follows at 18:55 UTC.
  • 2026-06-26 05:17 UTC — npm yanks both versions and replaces latest with a 0.0.1-security holder.
  • 2026-06-26 — GitHub publishes GHSA-75cr-ggc5-8h7g, classifying the package as CWE-506 Embedded Malicious Code with severity guidance "any computer that has this package installed or running should be considered fully compromised."
  • 2026-06 — gm7.org (Chinese-language threat-intel blog) publishes "SStar 一例 Web3 npm 投毒的孤狼案例" with full reverse-engineering of the downloader, the SStar Agent payload, and the paired GitHub Web3-recruiter lure.

Affected packages (1)

  • npmtw-style-utils
    0.7.00.7.1

Impact

  • Full cross-platform RAT on Windows and macOS: surveillance, file/keyboard/clipboard exfiltration, arbitrary command execution
  • No postinstall hook required — payload is an immediately-invoked top-level IIFE, so simply require()/import of the module is enough to trigger execution
  • Web3 / smart-contract developers targeted via a paired GitHub repo star45674/smart-contract-engineer-role posing as a take-home assignment — installing the assignment's dependencies pulls tw-style-utils
  • Likely credential and wallet theft once the agent is resident; campaign overlaps with previously documented North Korea-aligned Web3 social-engineering operations (Lazarus / Famous Chollima / BlueNoroff lineage)

What to do

  1. 1Remove tw-style-utils from every package.json / lockfile / CI image — the live npm record now resolves to a 0.0.1-security holder, but any cached tarball of 0.7.0 / 0.7.1 (Artifactory, Nexus, committed node_modules, build caches) is still malicious
  2. 2Treat any host that installed or merely required tw-style-utils between 2026-05-26 17:19 UTC and 2026-06-26 05:17 UTC as fully compromised: rotate all credentials, browser session cookies, SSH keys, and crypto-wallet seed phrases from a separate clean device
  3. 3Audit recent recruiting / take-home assessments pulled from GitHub — specifically the repo star45674/smart-contract-engineer-role and other Web3 "engineering test" repos that pin tw-style-utils
  4. 4Hunt for SStar Agent persistence on developer macOS / Windows endpoints — clipboard / keyboard hook artifacts, unexplained LaunchAgents / Scheduled Tasks, and outbound C2 patterns documented in the gm7.org analysis
  5. 5Use the legitimate @tailwindcss/typography package; verify the scope is @tailwindcss/, not the unscoped tw-* lookalike

References

npm-2026-06-26-sstar-tw-style-utils