DEV Community

Cover image for I found North Korean malware in my tailwind.config.js — here's the 5-minute scan to check your own machine
couch potato
couch potato

Posted on

I found North Korean malware in my tailwind.config.js — here's the 5-minute scan to check your own machine

#webdev #javascript #cryptocurrency #security

tailwind.config.js and similar config files load and execute at build time in most modern frameworks — meaning code placed there runs with whatever environment access your build process has, often including CI/CD secrets. They are also the files reviewers' eyes slide right past, because "config file" doesn't read as "executable code" to most developers, even though it is.

Cross-posted from my Medium series on a real Void Dokkaebi-style infection. Full writeup and incident response details linked at the end. Scripts are on GitHub.

I found obfuscated JavaScript in my tailwind.config.js. Not in a dependency, not in node_modules — in the config file, committed with my github account. All commits found in three different repositories, under my own identity.

A hidden obfuscated code block in unsuspecting tailwind.config.js

Sample infected file

I ran Malwarebytes on it, more than once, pointed directly at the file. Nothing. macOS's own built-in security didn't flag it either. It was built well enough that the tools whose entire job is catching this didn't.

A Void Dokkaebi-style infection (the DPRK-linked threat group also tracked as Famous Chollima / UNC5342) with a JSON-RPC beacon calling api.trongrid.io every 30 seconds, reading my environment variables, looking for crypto wallet credentials. I found three infected file locally, then six unexplained processes running in production.

This post is the "run this now" version. Full investigation, deobfuscation steps, and incident response timeline are in the linked post.

Run this right now (takes under 5 minutes) 

# 1. Check for processes you don't recognize
ps aux | grep node

# 2. Scan for encoded payload blobs
grep -r --include="*.js" --include="*.ts" \
  -E "[A-Za-z0-9+/]{200,}={0,2}" \
  . --exclude-dir=node_modules -l

# 3. Check your config files for code that shouldn't be there
grep -rn "function\|eval\|btoa\|atob\|setInterval\|setTimeout" \
  tailwind.config.js next.config.js vite.config.js \
  webpack.config.js babel.config.js 2>/dev/null
Enter fullscreen mode Exit fullscreen mode

If any of these return something you didn't put there: stop, don't push, don't deploy, kill the process, rotate your secrets. (And if you're killing processes that respawn, watch -n 5 'ps aux | grep node' to keep an eye on it.)

I still don't have a confirmed entry vector — that part of the investigation is ongoing.

I built out a full detection suite from this incident — process scanners, encoded-string detectors, a composite Void Dokkaebi pattern scan. All in the /scripts folder:

🔗 GitHub: github.com/Potat0-0/marauders-map

If you find this useful, a star helps other devs find it. If you've seen a similar infection — especially commits under your own identity, especially on macOS — I'd genuinely like to compare notes. I filed a Security StackExchange thread that's becoming a collection point for similar reports.

Full writeup, and incident response details -> Medium Post

Top comments (0)