ReversingLabs saw the volume of supply chain software attacks rise to unprecedented heights this year and predicts we’ll see more in 2023.¹ Their report cited two examples of such attacks—IconBurst² and Material Tailwind³—and urged npm and PyPI users to be wary of downloading packages from open-source repositories.

Our deep dive into the threats found thousands more artifacts that led us to second their call. Here’s a summary of our findings.

• The IconBurst domains identified as IoCs resolved to more than a dozen IP addresses.
• 2,400+ domains shared the IconBurst IoCs’ IP hosts, 14 of which turned out to be malicious.
• A couple of domains identified as IconBurst IoCs had unredacted email addresses in some of their historical WHOIS records.
• An IconBurst IoC’s unredacted registrant email address was used to register other domains, two of which were named by ReversingLabs in their report.
• An IP address identified as a Material Tailwind IoC led to a possibly connected domain.
• The string “parsee” that can be found in the Material Tailwind artifact was shared by more than a dozen other domains sporting different top-level domain (TLD) extensions.

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

—

• [1] https://blog.reversinglabs.com/blog/the-state-of-software-supply-chain-security
• [2] https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites
• [3] https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool