Cybersecurity researchers discovered a set of malicious npm packages designed to deliver a Windows-based remote access trojan (RAT).
The list of identified packages, is below –
- aes-decode-runner-pro (145 downloads)
- postcss-minify-selector (256 downloads)
- postcss-minify-selector-parser (615 downloads)
All packages have been published in the past month by npm user named “abdrizak” and continue to be available for download from npm as of this writing.
“Aes-decode-runner-pro and postcss-minify-selector-parser both present themselves as AES/custom-codec packages and depend on the official postcss selector,” JFrog said in an analysis. “Postcss-minify-selector introduces itself as a minified selector for PostCSS and depends on postcss-minify-selector-parser.”
As for “postcss-minify-selector-parser,” the name is a reference to “postcss-selector-parser,” a widely used npm library with over 127 million downloads per week. Regardless of which package is downloaded, the attack chain leads to the execution of the same Windows malware.
The packages come embedded with a JavaScript dropper that writes a PowerShell script (“settings.ps1”) to disk and executes it. The PowerShell script then acts as a downloader for the next stage payload returned from the external server (“nvidiadriver[.]net”) using “curl.exe.”
The returned payload is a ZIP archive, in which the Visual Basic Script file (“update.vbs”) is extracted and run using “wscript.exe.” Also included in the downloaded ZIP file is the Python runtime, the Python loader (“loader.py”), and a number of Python extension modules (*.pyd) compiled using Nuitka.
Visual Basic is responsible for setting up the Python environment on the vulnerable host and launching the “loader.py” script, which triggers the malware’s main logic. The RAT is equipped to collect host information, upload information to Google Chrome, collect data from Chrome extensions, execute shell commands, and download/upload files to and from the command and control server (C2) (“95.216.92)[.]207:8080).
These features are implemented through a set of Python native extension modules –
- config.pyd, which contains constants, command IDs, C2 URL, registry keywords
- api.pyd, which handles HTTP C2 packet exchange
- audiodriver.pyd, which handles the main RAT orchestration loop
- command.pyd, which defines the host, implements virtual machine (VM) exploration, file transfer, and shell execution.
- auto.pyd, which performs Chrome credentials and extended spoofing, bypassing application-bound encryption (ABE) protections
- util.pyd, which act as tar/gzip archive helpers
“This case shows how a small package like a parser can hide a multi-stage Windows load while appearing to be related to legitimate build tools that are widely used every week,” JFrog said. “For defenders, the important lesson is to treat dependencies like visibility as possible delivery methods, not just the harmless sound of words.”
The acquisition is in line with three other campaigns targeting npm and the TypeScript ecosystem –
- A malicious package called “apintergrationpost” that delivers a full-featured Linux RAT called MYRA, while claiming to be a Node.js integration client for an authorized red team exercise. “It compiles a native C rootkit at install time, establishes three independent persistence methods, masquerades as a systemd service, supports fileless execution, and provides interactive shell access via live screencasting,” SafeDep said.
- A malicious package called “@withgoogle/stitch-sdk” that mimics Google’s Stitch AI design tool but comes with the ability to steal developer credentials from eight sources (Claude Code, git config, ~/.git-credentials, SSH public keys, GitHub CLI, npm config, ~/jn from an attacker-controlled domain (“stitch-production[.]org/api/v1”).
- A set of five packages (“procire,” “routecraft,” “endpointmap,” “bytecraft,” and “staticlayer”) that deliver a binary dropper to Windows hosts from an external server and run it during npm installation. The “routecraft” package lists “procire” as a dependency, while the latter lists “endpointmap” and “bytecraft” as dependencies. The last package, “staticlayer,” is designed to work on the server side and deliver files to a client that presents a direct User Agent for the dropper.
Users who have installed any of the above packages are advised to immediately remove them, remove any artifacts created by them, and rotate data from affected developer machines.
The findings are also consistent with the supply chain attack directed at the “gonex-AI/Understand-Anything” information graph tool to push the payload “to one beacon of three hard-coded C2 servers, extract the campaign tag, XOR-decrypts and check the downloaded bot client, and then independently solve the BrodesSC address of the latest transaction BrodesSC command from the second stage se encoding. the hash that carries the payload.”
The work overlaps with a North Korean supply chain operation called PolinRider, which was seen injecting obfuscated JavaScript into the configuration files of legitimate developers across nearly 2,000 compromised GitHub repositories to deliver a popular malware downloader called BeaverTail, which then paved the way for Invisible IndoorFerret.
“This attack combines three things that each one is familiar with but together they open a detection gap: a detailed description of the fake PR with fabricated test evidence, a variant that hides its payment in a horizontal white space, and a two-stage C2 where the second stage uses the public blockchain infrastructure as a way to write and read from anywhere,” said SafeDep.
