A recent malware campaign has been identified targeting Windows systems through a deceptive package on the npm registry. Disguised as a legitimate CSS build tool, the malicious package installs a Remote Access Trojan (RAT) on developer machines, posing significant security risks.
The attack initiates with a typosquatted npm package named postcss-minify-selector-parser, designed to mimic the widely used postcss-selector-parser, which boasts over 150 million weekly downloads. Upon installation, an encoded blob within the entry file triggers a multi-stage attack chain, ultimately deploying a Windows RAT capable of credential theft, shell command execution, and remote communication with attackers.
Security researchers have identified two additional related packages, postcss-minify-selector and aes-decode-runner-pro, all associated with the same npm publisher. At the time of discovery, these packages remained accessible on the registry.
The campaign’s sophistication lies in its ability to blend seamlessly into the development environment. The malicious package employs identical keywords and dependencies as the legitimate one, making detection challenging during routine dependency reviews. Developers engaged in rapid development cycles who overlook transitive dependencies are particularly vulnerable, highlighting the attacker’s deep understanding of trust dynamics within open-source ecosystems.
The full payload chain involves a PowerShell downloader retrieving a ZIP archive from a lookalike domain, extracting it, and executing a VBS script to launch the RAT. The final implant operates as a bundled Python application compiled with Nuitka, complicating analysis compared to typical script-based threats.
Windows RAT Utilizes Encrypted HTTP C2 and Registry Persistence
Once active, the RAT establishes communication with a command-and-control (C2) server over HTTP, encrypting all traffic using RC4/ARC4 with MD5 checksums to evade network detection. It transmits an initial host profile to the C2 and enters a loop, awaiting further commands from the attacker.
To maintain persistence, the malware creates a registry key named csshost under the Windows Run key, ensuring execution upon system startup. It also stores a persistent victim UUID and host configuration in the TEMP directory, facilitating automatic reconnection after reboots.
The RAT’s capabilities are extensive, including remote shell execution, file upload and download, randomized sleep commands, and virtual machine detection. The VM checks employ WMI queries and MAC address prefix matching to evade sandbox analysis environments, indicating a threat actor with advanced technical proficiency and operational experience.
Chrome Credential Theft and Data Exfiltration
Beyond remote control functionalities, the RAT targets sensitive user data by extracting credentials from Google Chrome. It accesses the Login Data SQLite database, decrypts stored passwords using Windows Data Protection API (DPAPI), and exfiltrates the information to the C2 server. This capability underscores the malware’s potential for significant data breaches and identity theft.
This incident highlights the critical need for developers to exercise caution when incorporating third-party packages into their projects. Regular audits of dependencies, especially transitive ones, are essential to mitigate the risk of supply chain attacks. Additionally, implementing robust security measures, such as monitoring for unusual network activity and employing endpoint detection solutions, can help identify and prevent such sophisticated threats.
