NewsJavaScriptSecurity

Fake PostCSS npm Packages Drop a Windows RAT — Act Now

23 views0
Dark themed image showing a malicious npm package box with warning symbols and PowerShell code, representing the PostCSS supply chain attack
Malicious npm packages impersonating PostCSS tools delivered a Windows RAT to developer machines in June 2026
ByteBotBy
Share

Three npm packages impersonating PostCSS utilities were caught delivering a Windows remote access trojan to developer machines. JFrog disclosed the campaign on June 23, 2026. The packages — postcss-minify-selector-parser, postcss-minify-selector, and aes-decode-runner-pro — racked up 1,016 combined downloads before removal. The legitimate package they mirror, postcss-selector-parser, sees 150 million weekly downloads. That gap between 150 million and 1,016 might sound comforting. It is not a safety signal.

The Attack Fires at npm install

The entry point in postcss-minify-selector-parser immediately requires an internal config file that carries a large AES-256-GCM-encoded blob. On first load, it decodes the blob and writes a PowerShell script — settings.ps1 — to disk, then executes it with a bypassed execution policy. Your code never has to call require(). The moment you run npm install, the dropper fires.

The PowerShell stage reaches out to nvidiadriver[.]net — a domain designed to look like an NVIDIA resource — downloads a Windows payload, and launches a VBS bootstrapper. What lands on your machine is a full-featured RAT.

What the RAT Does

This is not a simple credential logger. The RAT shipped in this campaign supports:

  • Registry persistence — writes a csshost value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it survives reboots
  • Remote shell — bidirectional shell access over encrypted HTTP C2
  • File transfer — upload and download tunneled through AES-GCM and ChaCha20-Poly1305
  • VM detection — profiles the host to identify sandbox analysis environments
  • Chrome credential theft — reads Local State and Login Data, calls Windows DPAPI and NCrypt to extract stored passwords, produces a chrome_logins_dump.txt artifact

The Chrome module bypasses the app-bound encryption Google rolled out to stop exactly this class of attack. If you have browser-stored credentials, consider them exposed on any affected machine.

Who Is at Risk

The payload targets Windows only — Linux and macOS users are not affected by this specific dropper. That narrows the blast radius but does not make this a minor event. PostCSS is embedded in Tailwind, Next.js, Create React App, and most modern CSS pipelines. If your project touches any of those tools and a Windows developer ran npm install without a pinned lockfile in the past several weeks, check your dependency tree.

Check and Clean

Run these against your project and any developer machine that may have been exposed:

# Search package.json and lockfile for the malicious packages
grep -rE "postcss-minify-selector-parser|postcss-minify-selector|aes-decode-runner-pro" \
  package.json package-lock.json yarn.lock pnpm-lock.yaml

# Check registry persistence (Windows PowerShell)
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

# Hunt disk artifacts
dir %TEMP%\winPatch %TEMP%\.store %TEMP%\.host

If any of these turn up hits:

  1. Remove the packages and any transitive dependencies that pulled them in
  2. Delete the csshost registry key and kill any associated processes
  3. Block outbound connections to nvidiadriver[.]net
  4. Rotate every credential stored in Chrome or in plain-text config files — API keys, tokens, SSH keys

Why npm audit Did Not Catch This

npm audit queries the GitHub Advisory Database for known vulnerabilities. These three packages had no advisory until JFrog published the disclosure. That is not a gap that will be patched — it is a fundamental limitation of the advisory-based model. npm’s own documentation acknowledges audit is not a substitute for keeping dependencies current and using additional security tooling.

The tools that would have stopped this install are behavioral: Socket, Snyk’s package health checks, or npq analyze what a package actually does before it runs. Running npm install --ignore-scripts would have blocked the dropper at the lifecycle hook stage. Committing lockfiles and using npm ci in CI means a typosquatted package can only enter via a deliberate lockfile change — which is something you can review in a pull request diff.

The Pattern Is Not Slowing Down

Sonatype counted 454,000 new malicious packages in 2025 — a 75% year-over-year increase, bringing the cumulative total to over 1.2 million blocked packages. This campaign joins the Red Hat Miasma attack from June 1, the Axios supply chain incident in March, and a steady drumbeat of typosquatted packages targeting the Node.js ecosystem. The attackers are now good enough at impersonation that a passing review of a dependency will not save you.

Treating dependency installation as a privileged operation — not something that happens casually during a local setup — is the mental shift the situation demands. The packages are already gone from npm. The question is whether the RAT is still on your machine.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News