Cybersecurity researchers found three malicious npm packages that impersonate PostCSS-related tools and were designed to deliver a Windows remote access trojan, with the packages still available for download at the time of reporting. The packages were published in the past month by an npm user named abdrizak and had between 145 and 615 downloads.
KEY FACTS
- Packages aes-decode-runner-pro, postcss-minify-selector and postcss-minify-selector-parser.
- Target Windows hosts through a multi-stage payload chain.
- Delivery A JavaScript dropper writes a PowerShell script, which downloads the next stage.
- Capabilities The malware can steal Chrome credentials, collect extension data, run shell commands and move files.
- C2 The command server was identified as 95.216.92[.]207:8080.
A technical analysis by JFrog said the packages imitate legitimate build tooling and depend on the real postcss-selector-parser library, a widely used npm package with more than 127 million weekly downloads. The naming is meant to look close to common developer dependencies.
Once installed, the packages drop a script called settings.ps1 that uses curl.exe to retrieve a ZIP archive from nvidiadriver[.]net. That archive contains a Visual Basic Script, a Python runtime, a loader script and compiled Python modules built with Nuitka.
The Visual Basic Script sets up the Python environment and launches the loader. The report said the resulting RAT can gather host details, bypass app-bound encryption protections in Chrome, extract credentials from the browser and its extensions, and exchange packets with the command server.
Researchers said the same campaign also included other malicious npm activity and came alongside separate supply chain attacks in the npm and TypeScript ecosystem. Those cases involved packages that claimed to offer red team or AI integration features but instead delivered malware or credential theft tools.
WHY IT MATTERS
The findings show how lookalike package names can be used to slip malware into software supply chains and reach developers during normal install steps. Users who installed any of the packages were advised to remove them, clear related artifacts and rotate credentials from affected machines.