A Closer Look at the IconBurst and Material Tailwind Attacks | WhoisXML API

Threat reports

Supply Chain Security: A Closer Look at the IconBurst and Material Tailwind Attacks

ReversingLabs saw the volume of supply chain software attacks rise to unprecedented heights this year and predicts we’ll see more in 2023.1 Their report cited two examples of such attacks—IconBurst2 and Material Tailwind3—and urged npm and PyPI users to be wary of downloading packages from open-source repositories.

Our deep dive into the threats found thousands more artifacts that led us to second their call. Here’s a summary of our findings.

  • The IconBurst domains identified as IoCs resolved to more than a dozen IP addresses.
  • 2,400+ domains shared the IconBurst IoCs’ IP hosts, 14 of which turned out to be malicious.
  • A couple of domains identified as IconBurst IoCs had unredacted email addresses in some of their historical WHOIS records.
  • An IconBurst IoC’s unredacted registrant email address was used to register other domains, two of which were named by ReversingLabs in their report.
  • An IP address identified as a Material Tailwind IoC led to a possibly connected domain.
  • The string “parsee” that can be found in the Material Tailwind artifact was shared by more than a dozen other domains sporting different top-level domain (TLD) extensions.

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://blog.reversinglabs.com/blog/the-state-of-software-supply-chain-security
  • [2] https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites
  • [3] https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool
Try our WhoisXML API for free
Get started