`tw-style-utils` — SStar Agent cross-platform RAT delivered via Tailwind Typography typosquat
tw-style-utils masqueraded as a Tailwind CSS typography plugin (99% of its code copied from @tailwindcss/typography) while ~5KB of top-level IIFE downloader code installed SStar Agent, a Windows/macOS RAT with keyboard/clipboard hooks and exfiltration capability. Two versions (0.7.0, 0.7.1) were live on npm from 2026-05-26 17:19 UTC; npm yanked the package and replaced latest with a 0.0.1-security holder on 2026-06-26 05:17 UTC, and GitHub published GHSA-75cr-ggc5-8h7g the same day.
- Detected by
- GitHub Advisory Database · gm7.org · CN-SEC
- Also known as
- SStar Agent · tw-style-utils typosquat
- Ecosystems
- npm
- Packages tracked
- 1
What happened
On 2026-05-26 at 17:19 UTC, an attacker published tw-style-utils@0.7.0 to npm; a second version 0.7.1 followed at 18:55 UTC the same day. The package presented as a Tailwind CSS typography plugin and copied 99% of its source verbatim from the legitimate @tailwindcss/typography package. The malicious surface was a single ~5KB top-level IIFE downloader hidden inside the otherwise-legitimate code: because it executed on module require/import rather than from a postinstall lifecycle script, npm install --ignore-scripts was no protection, and any developer who simply imported the module to evaluate it in a sandboxed editor session triggered the payload.
The tarball size (~80KB) versus the legitimate plugin's ~10KB was the most obvious authoring tell: the extra ~70KB was the payload and the wrapper that fetched second-stage code. The dropper retrieves and runs SStar Agent, a cross-platform RAT for Windows and macOS that installs keyboard and clipboard hooks, performs file-system surveillance, and exfiltrates to attacker-controlled infrastructure. Reverse-engineering by independent Chinese security researchers (gm7.org / cn-sec) attributes the campaign as overlapping with North Korea-aligned Web3 social-engineering operations consistent with the broader Lazarus / Famous Chollima / BlueNoroff cluster, although no single Western vendor has issued formal attribution.
Distribution: the paired Web3 lure
The npm package was paired with a GitHub repository star45674/smart-contract-engineer-role — a fake take-home assessment for a Web3 / smart-contract engineering role. The repo's package.json lists tw-style-utils as a dependency, so any candidate running npm install to set up the assignment imports the SStar Agent dropper. This is the same lure pattern as the Contagious Interview / Famous Chollima campaigns Socket and Microsoft have repeatedly documented in 2026, where North Korea-aligned operators pose as recruiters and ship malicious npm packages disguised as coding-challenge dependencies.
Disclosure timeline
- 2026-05-26 17:19 UTC —
tw-style-utils@0.7.0published;0.7.1follows at 18:55 UTC. - 2026-06-26 05:17 UTC — npm yanks both versions and replaces
latestwith a0.0.1-securityholder. - 2026-06-26 — GitHub publishes
GHSA-75cr-ggc5-8h7g, classifying the package as CWE-506 Embedded Malicious Code with severity guidance "any computer that has this package installed or running should be considered fully compromised." - 2026-06 — gm7.org (Chinese-language threat-intel blog) publishes "SStar 一例 Web3 npm 投毒的孤狼案例" with full reverse-engineering of the downloader, the SStar Agent payload, and the paired GitHub Web3-recruiter lure.
Affected packages (1)
- npm
tw-style-utils0.7.00.7.1
Impact
- Full cross-platform RAT on Windows and macOS: surveillance, file/keyboard/clipboard exfiltration, arbitrary command execution
- No
postinstallhook required — payload is an immediately-invoked top-level IIFE, so simplyrequire()/importof the module is enough to trigger execution - Web3 / smart-contract developers targeted via a paired GitHub repo
star45674/smart-contract-engineer-roleposing as a take-home assignment — installing the assignment's dependencies pullstw-style-utils - Likely credential and wallet theft once the agent is resident; campaign overlaps with previously documented North Korea-aligned Web3 social-engineering operations (Lazarus / Famous Chollima / BlueNoroff lineage)
What to do
- 1Remove
tw-style-utilsfrom everypackage.json/ lockfile / CI image — the live npm record now resolves to a0.0.1-securityholder, but any cached tarball of0.7.0/0.7.1(Artifactory, Nexus, committednode_modules, build caches) is still malicious - 2Treat any host that installed or merely required
tw-style-utilsbetween 2026-05-26 17:19 UTC and 2026-06-26 05:17 UTC as fully compromised: rotate all credentials, browser session cookies, SSH keys, and crypto-wallet seed phrases from a separate clean device - 3Audit recent recruiting / take-home assessments pulled from GitHub — specifically the repo
star45674/smart-contract-engineer-roleand other Web3 "engineering test" repos that pintw-style-utils - 4Hunt for SStar Agent persistence on developer macOS / Windows endpoints — clipboard / keyboard hook artifacts, unexplained LaunchAgents / Scheduled Tasks, and outbound C2 patterns documented in the gm7.org analysis
- 5Use the legitimate
@tailwindcss/typographypackage; verify the scope is@tailwindcss/, not the unscopedtw-*lookalike