Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Severity
Medium 

Detail

Security researchers at JFrog have identified three malicious npm packages masquerading as legitimate PostCSS-related tools that are designed to deploy a Windows-based Remote Access Trojan (RAT). The malicious packages, published by an npm user named “abdrizak,” include aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser.

The packages impersonate commonly used development dependencies and exploit trust in the JavaScript ecosystem to infect developer workstations. Once installed, the packages initiate a multi-stage malware deployment chain that ultimately installs a RAT capable of collecting system information, stealing credentials from Google Chrome, harvesting browser extension data, executing shell commands, and transferring files to and from an attacker-controlled command-and-control (C2) server.

Researchers warn that the campaign demonstrates how attackers continue to abuse open-source repositories and software supply chains by creating packages with names similar to legitimate and widely used libraries, increasing the likelihood of accidental installation by developers.

How?

The attack begins when a developer installs one of the malicious npm packages. During execution, the package deploys a JavaScript dropper that writes and launches a PowerShell script on the victim’s machine. The PowerShell script downloads a ZIP archive from an attacker-controlled domain and extracts additional components, including a Visual Basic Script (VBS), a bundled Python runtime, and several compiled Python modules.

The VBS script establishes the Python environment and launches a Python loader responsible for activating the RAT’s core functionality. Once active, the malware profiles the infected host, gathers system information, steals Google Chrome credentials and extension data, executes remote commands, uploads and downloads files, and communicates with a remote C2 server. The malware uses multiple Python extension modules to manage command execution, credential theft, file operations, and C2 communications, providing attackers with persistent remote access to compromised systems.

Recommendation

Organizations should immediately review their environments for the presence of the identified malicious npm packages and remove them from all development systems. Security teams should investigate affected hosts for any artifacts created during installation, including suspicious PowerShell scripts, Python runtimes, VBS files, and unauthorized scheduled tasks or persistence mechanisms.

Developers should verify package authenticity before installation, paying close attention to package names that closely resemble legitimate dependencies. Organizations are encouraged to implement software composition analysis (SCA) tools, dependency scanning, and package allowlisting to reduce supply chain risks. Continuous monitoring for unusual PowerShell execution, outbound connections to unknown domains, and unexpected Python processes can help identify similar threats. Additionally, any credentials stored on potentially affected developer systems should be rotated immediately, including GitHub tokens, SSH keys, npm credentials, cloud credentials, and browser-stored passwords.

Source

https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html