logo

Lookalike npm Package Hides a Multi-Stage Windows RAT

ID: a6ec4ec2-7af3-555f-8a2d-0362e6489db9

STIX ID: report--a6ec4ec2-7af3-555f-8a2d-0362e6489db9

Feed Name: Infosecurity Magazine (News)

Threat Score
80/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

...
...

A malicious npm package named postcss-minify-selector-parser impersonated the widely used postcss-selector-parser package to deliver a multi-stage Windows RAT. Importing the package triggered an AES-decoded dropper that wrote and executed a PowerShell script, which downloaded a ZIP disguised as a Windows patch from nvidiadriver.net; the archive contained a bundled Python runtime and Nuitka-compiled modules launched via VBScript. The RAT established persistence via a registry run key, performed host profiling and VM checks, opened remote shells, exfiltrated files, and specifically targeted Google Chrome to steal saved logins, prompting an urgent remediation recommendation for package removal, artifact cleanup, and credential rotation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.