Lookalike npm Package Hides a Multi-Stage Windows RAT
ID: a6ec4ec2-7af3-555f-8a2d-0362e6489db9
STIX ID: report--a6ec4ec2-7af3-555f-8a2d-0362e6489db9
Feed Name: Infosecurity Magazine (News)
A malicious npm package named postcss-minify-selector-parser impersonated the widely used postcss-selector-parser package to deliver a multi-stage Windows RAT. Importing the package triggered an AES-decoded dropper that wrote and executed a PowerShell script, which downloaded a ZIP disguised as a Windows patch from nvidiadriver.net; the archive contained a bundled Python runtime and Nuitka-compiled modules launched via VBScript. The RAT established persistence via a registry run key, performed host profiling and VM checks, opened remote shells, exfiltrated files, and specifically targeted Google Chrome to steal saved logins, prompting an urgent remediation recommendation for package removal, artifact cleanup, and credential rotation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
