PostCSS Typosquats Deliver Multi-Stage Windows RAT to npm Users

Three npm packages published by a single account were found disguising themselves as utilities related to postcss-selector-parser, an npm library with more than 127 million weekly downloads, according to The Hacker News. All three were published by an npm user named "abdrizak" and reportedly remained available for download as of writing: postcss-minify-selector-parser (615 downloads), postcss-minify-selector (256 downloads), and aes-decode-runner-pro (145 downloads).

The attack chain runs through several stages regardless of which package a developer installs. Each embeds a JavaScript dropper that writes a PowerShell script named settings.ps1 to disk. That script reaches out to a domain named nvidiadriver[.]net to download a ZIP archive containing a Visual Basic Script, a Python runtime, and compiled Python modules. A loader script then launches the RAT, which phones home to a command-and-control server at 95.216.92[.]207:8080 over encrypted HTTP. The malware sets up registry persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and includes a module that steals Chrome credentials and extension data by bypassing Chrome's App-Bound Encryption protections. JFrog Security Research, which published the technical breakdown, found that the initial dropper uses AES-256-GCM decoding as an obfuscation layer designed to survive the kind of quick inspection that happens during dependency reviews.

The download numbers are modest relative to the library being mimicked, but the target is a developer's local machine, which typically stores browser-cached credentials and carries access to internal tooling or CI/CD pipelines. That gap between small install count and potential blast radius is the asymmetry supply chain attackers are banking on.

The reporting does not confirm how many of those downloads resulted in actual compromises, and it is not clear whether the packages or the publishing account have been suspended since publication. For teams doing triage now, the concrete IOCs are the nvidiadriver[.]net domain and the C2 server at 95.216.92[.]207:8080.