Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords
ID: 49e04c61-9099-5663-98e9-a19c913739fa
STIX ID: report--49e04c61-9099-5663-98e9-a19c913739fa
Feed Name: HackRead
JFrog discovered a package-impersonation campaign on the npm registry where malicious packages (including postcss-minify-selector-parser and two related packages) masquerade as a popular build utility to deliver a multi-stage Windows RAT. The malicious package decodes an encrypted dropper, runs a PowerShell installer that fetches a ZIP from nvidiadriver.net, and executes VBScript to launch compiled Python modules (audiodriver.pyd, command.pyd, auto.pyd) that persist via HKCU Run, detect virtual machines, exfiltrate Chrome-saved credentials by bypassing encryption protections, and connect to C2; JFrog advises removing the packages, scanning temp folders for indicators (winPatch, .store, .host), and changing browser-stored passwords.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
