I found a malware hiding in my tailwindcss config file
2026-06-21 • Couch Potato •
Attachments
sitemap.xml (2 MB)
A developer reported obfuscated JavaScript hidden in `tailwind.config.js` and another backend file across three repositories, followed by unknown Node processes in local and production environments and Git commits made under the author's name. Sandbox analysis reportedly uncovered JSON-RPC activity to `api.trongrid.io` with an Aptos mainnet fallback, which the author interpreted as blockchain-backed command-and-control. The article explicitly links the activity to Void Dokkaebi, described as a North Korea-aligned developer-targeting cluster also known as Famous Chollima and UNC5342, while noting the initial access vector remains unconfirmed. The cleanup guidance focuses on killing suspicious Node processes, rotating credentials and SSH keys, auditing Git history/reflog, and scanning JavaScript config files for obfuscated payloads.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.trongrid.io | 2025-10-27 | 2026-07-01 |