Malicious npm Packages Impersonate PostCSS Tools to Deploy Windows RAT

Cybersecurity researchers at JFrog have uncovered three malicious npm packages designed to deliver a Windows-based remote access trojan (RAT) to developers who install them. Published over the past month by an npm user going by "abdrizak," the packages — aes-decode-runner-pro (145 downloads), postcss-minify-selector (256 downloads), and postcss-minify-selector-parser (615 downloads) — remain available on the registry. The latter package deliberately mimics "postcss-selector-parser," a legitimate library with more than 127 million weekly downloads, making the typosquat a high-risk supply chain hazard for build pipelines and front-end projects.

The attack chain is consistent across all three packages and begins with an embedded JavaScript dropper that writes a PowerShell script ("settings.ps1") to disk and executes it. The script fetches a ZIP archive from "nvidiadriver[.]net" using curl.exe, then extracts and runs a Visual Basic file ("update.vbs") via wscript.exe. The VBS payload sets up a bundled Python runtime and launches loader.py, which in turn loads a collection of Nuitka-compiled native Python extensions: config.pyd, api.pyd, audriver.pyd, command.pyd, auto.pyd, and util.pyd. This layered obfuscation allows a small parser-impersonating package to quietly drop a multi-stage Windows payload.

Once active, the RAT communicates with a command-and-control server at 95.216.92[.]207:8080 and offers attackers a broad toolset: host profiling, VM detection, shell command execution, file upload and download, and credential theft from Google Chrome — including bypassing App-Bound Encryption (ABE) protections and harvesting data from installed Chrome extensions. Operators interested in tracing the malicious infrastructure can pivot on the C2 IP with a WHOIS lookup, while developers should immediately audit their npm dependency trees and lockfiles for any of the identified package names.

JFrog's findings align with a broader wave of software supply chain incidents in which threat actors exploit developer trust in widely used tooling. The campaign underscores that lookalike build dependencies must be treated as active delivery mechanisms, not cosmetic name conflicts. Defenders are advised to enable npm integrity verification (npm-shrinkwrap.json, package-lock.json with integrity hashes), pin dependency versions, and monitor outbound traffic to known suspicious infrastructure. Users concerned about potential exposure should run their credentials through a password checker and complete a broader privacy checkup to identify residual risk from any compromised developer workstation.