logo

Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords

ID: 49e04c61-9099-5663-98e9-a19c913739fa

STIX ID: report--49e04c61-9099-5663-98e9-a19c913739fa

Feed Name: HackRead

Threat Score
75/100

Date Published: 2026-06-24

Date Updated: 2026-06-24

Author: Deeba Ahmed

...
...

JFrog discovered a package-impersonation campaign on the npm registry where malicious packages (including postcss-minify-selector-parser and two related packages) masquerade as a popular build utility to deliver a multi-stage Windows RAT. The malicious package decodes an encrypted dropper, runs a PowerShell installer that fetches a ZIP from nvidiadriver.net, and executes VBScript to launch compiled Python modules (audiodriver.pyd, command.pyd, auto.pyd) that persist via HKCU Run, detect virtual machines, exfiltrate Chrome-saved credentials by bypassing encryption protections, and connect to C2; JFrog advises removing the packages, scanning temp folders for indicators (winPatch, .store, .host), and changing browser-stored passwords.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.