A malicious npm package has been caught impersonating one of the JavaScript ecosystem's most widely used build tools. The lookalike package hid a multi-stage Windows remote access trojan (RAT) in a supply chain attack on developer machines.
New analysis from JFrog detailed the package which was named postcss-minify-selector-parser. The moniker was intended to allow the package to pose as postcss-selector-parser, a hugely popular library with more than 150 million weekly downloads.
The illegitimate package was still available on the npm registry at the time of writing.
Built to Pass a Dependency Review
JFrog said because the package name sat close enough to the real package, it looked plausible during a quick dependency review.
It used the same postcss, selector and parser keywords, and it listed the genuine postcss-selector-parser among its own dependencies.
JFrog found two more packages in the same cluster, postcss-minify-selector and aes-decode-runner-pro, linked by dependencies. It traced them to a publisher using the name abdrizak. Decoded payloads from two of the packages led to the same Windows attack chain.
From npm Import to Windows Payload
The malicious code ran as soon as the package was imported. JFrog found that importing it pulled in a file that should have held parser logic. Instead, the file carried a large encrypted blob and an AES-256-GCM decoder. Once decoded, it acted as a dropper, writing a PowerShell script to disk and running it.
The PowerShell script then downloaded a payload from a domain posing as a driver site, nvidiadriver[.]net. It downloaded a ZIP archive disguised as a Windows patch and unpacked it in the temp folder.
The archive held a bundled Python runtime and several Nuitka-compiled modules. A VBScript bootstrapper launched them to start the RAT.
RAT Built to Steal Browser Logins
Once running, the malware contacted its command server over encrypted HTTP. It set up persistence through a registry run key.
It also profiled the host and checked whether it was running inside a virtual machine. JFrog said the RAT could open a remote shell, move files to and from the machine and steal data from the victim.
The malware also targeted Google Chrome. JFrog said it was built to steal saved logins and to defeat the browser's newer app-bound encryption.
The firm urged anyone who installed the packages to remove them, check for the temp-folder and registry traces, then rotate stored credentials.
JFrog described the cluster as a package-impersonation attack: "For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms, not just harmless naming noise."