Security experts have uncovered a group of harmful npm packages crafted to deploy a Windows remote access trojan (RAT) onto victims’ machines.
The detected packages are listed below –
- aes-decode-runner-pro (145 downloads)
- postcss-minify-selector (256 downloads)
- postcss-minify-selector-parser (615 downloads)
All three packages were uploaded within the last month by an npm account called “abdrizak” and remain downloadable from the npm registry at the time of this report.
“Aes-decode-runner-pro and postcss-minify-selector-parser both disguise themselves as layered AES/custom-codec tools and rely on the legitimate postcss-selector-parser library,” JFrog explained in its analysis. “Postcss-minify-selector masquerades as a PostCSS selector minification utility and depends on postcss-minify-selector-parser.”
The name “postcss-minify-selector-parser” is deliberately chosen to resemble “postcss-selector-parser,” a popular npm library that sees over 127 million downloads each week. Whichever of the three packages gets installed, the infection process ultimately results in the same Windows malware being deployed.
Each package contains a JavaScript dropper that saves a PowerShell script (“settings.ps1”) to the system and runs it. That PowerShell script then fetches a secondary payload from a remote server (“nvidiadriver[.]net”) using “curl.exe.”
The downloaded payload is a ZIP file containing a Visual Basic Script (“update.vbs”), which is executed via “wscript.exe.” The ZIP archive also includes a Python runtime, a Python loader script (“loader.py”), and several Python extension modules (*.pyd) compiled with Nuitka.
The Visual Basic Script configures the Python environment on the infected machine and launches “loader.py,” which activates the malware’s core functionality. The RAT is capable of collecting system details, stealing saved passwords from Google Chrome, harvesting data from Chrome extensions, executing shell commands, and transferring files to and from a command-and-control (C2) server (“95.216.92[.]207:8080”).
These capabilities are implemented through a collection of Python native extension modules –
- config.pyd — stores constants, command identifiers, the C2 server URL, and registry key names
- api.pyd — manages HTTP-based communication with the C2 server
- audiodriver.pyd — runs the primary RAT coordination loop
- command.pyd — gathers system profiles, performs virtual machine detection, handles file transfers, and executes shell commands
- auto.pyd — steals Chrome credentials and extension data, circumventing app-bound encryption (ABE) defenses
- util.pyd — provides tar/gzip archive utility functions
“This case illustrates how a seemingly minor parser-style package can conceal a complex, multi-stage Windows attack while appearing to be associated with legitimate build tools that enjoy enormous weekly download counts,” JFrog noted. “For security teams, the key takeaway is that lookalike build dependencies should be viewed as potential malware delivery vehicles, not dismissed as harmless naming coincidences.”
This discovery aligns with three additional campaigns aimed at the npm and TypeScript ecosystem –
- A harmful package called “apintergrationpost” that installs a fully featured Linux RAT known as MYRA, while posing as a Node.js integration client for sanctioned red team operations. “It builds a native C rootkit during installation, sets up three separate persistence methods, disguises itself as a systemd service, supports fileless execution, and offers an interactive shell with real-time screen streaming,” SafeDep reported.
- A malicious package named “@withgoogle/stitch-sdk” that impersonates Google’s Stitch AI design platform but is equipped to harvest developer credentials from eight sources (Claude Code, git config, ~/.git-credentials, SSH public keys, GitHub CLI, npm config, ~/.npmrc, and ~/.docker/config.json) and send them to an attacker-controlled domain (“stitch-production[.]org/api/v1”).
- A group of five packages (“procwire,” “routecraft,” “endpointmap,” “bytecraft,” and “staticlayer”) that fetches a dropper binary onto Windows machines from a remote server and runs it during npm install. The “routecraft” package depends on “procwire,” which in turn depends on “endpointmap” and “bytecraft.” The fifth package, “staticlayer,” operates on the server side and delivers files to a client matching the dropper’s exact User-Agent string.
Anyone who has installed any of the packages mentioned above should uninstall them right away, clean up any files or artifacts they created, and change all credentials that may have been exposed on affected developer workstations.
These findings also coincide with a supply chain attack aimed at the “gonex-AI/Understand-Anything” knowledge graph tool, which was used to distribute a malicious payload that “contacts one of three hardcoded C2 servers, sends out a campaign identifier, XOR-decrypts and runs a downloaded bot client, and then independently retrieves a second-stage command from a Tron blockchain address — where the most recent transaction encodes a BSC transaction hash pointing to the active payload.”
The campaign shares characteristics with a North Korean supply chain operation known as PolinRider, which has been seen injecting obfuscated JavaScript into legitimate developers’ configuration files across close to 2,000 compromised GitHub repositories. This delivers a recognized malware downloader and stealer called BeaverTail, which subsequently sets the stage for the InvisibleFerret backdoor.
“This attack merges three elements that are individually well-known but collectively create a blind spot for detection: a convincing fake PR description with fabricated test results, a diff that conceals its payload within horizontal whitespace, and a two-stage C2 infrastructure where the second stage leverages public blockchain technology as a write-once, globally readable relay,” SafeDep explained.
