Postcss-selector-parser, a widely used npm library, has more than 127 million weekly downloads — and attackers have deliberately referenced that popularity to hide a Windows remote access trojan inside lookalike packages.
The three malicious npm packages and their reach
Researchers identified three npm packages published over the past month by a user named "abdrizak" that converge on the same Windows payload. The packages and their recorded download counts are:
- aes-decode-runner-pro (145 downloads)
- postcss-minify-selector (256 downloads)
- postcss-minify-selector-parser (615 downloads)
All three packages were still available for download from npm as of writing.
How the attack chain is assembled and executed
JFrog’s analysis describes a multi-stage delivery that begins inside JavaScript installed by npm. Each malicious package contains a JavaScript dropper that writes a PowerShell script named "settings.ps1" to disk and executes it. That PowerShell script downloads a next-stage ZIP archive from an external server named "nvidiadriver[.]net" using the platform's curl.exe.
The downloaded ZIP contains several Windows-friendly components: a Visual Basic Script ("update.vbs") that is executed with wscript.exe, a bundled Python runtime, a Python loader ("loader.py"), and multiple Python extension modules (*.pyd) compiled with Nuitka. The Visual Basic component sets up the Python environment on the host and launches loader.py, which triggers the RAT's core logic.
The RAT’s capabilities and native Python modules
The actors behind the packages deploy a Windows remote access trojan that performs host profiling, credential theft, extension data collection, command execution, and file transfer to a command-and-control server at "95.216.92[.]207:8080". JFrog mapped the malware’s capabilities to a set of native Python extension modules delivered in the ZIP:
- config.pyd — contains constants, command IDs, C2 URL, registry key names
- api.pyd — handles HTTP C2 packet exchange
- audiodriver.pyd — handles the main RAT orchestration loop
- command.pyd — profiles the host, runs virtual machine (VM) checks, file transfer, and shell execution
- auto.pyd — performs Chrome credential and extension theft, bypassing app-bound encryption (ABE) protections
- util.pyd — acts as tar/gzip archive helpers
According to JFrog, regardless of which package a user downloads, “the attack chain leads to the deployment of the same Windows malware.”
Related npm and TypeScript campaigns observed simultaneously
JFrog’s discovery arrives alongside reporting of three other distinct campaigns that target the npm/TypeScript ecosystem. Briefly:
- A package named "apintergrationpost" that delivers a Linux RAT called MYRA; SafeDep reports the package "compiles a native C rootkit during install, establishes three independent persistence mechanisms, masquerades as a systemd service, supports fileless execution, and provides interactive shell access with live screen streaming."
- A package named "@withgoogle/stitch-sdk" that impersonates a Google design tool and is capable of stealing developer credentials from eight sources (Claude Code, git config, ~/.git-credentials, SSH public keys, GitHub CLI, npm config, ~/.npmrc, and ~/.docker/config.json) and exfiltrating them to "stitch-production[.]org/api/v1".
- A cluster of five packages — "procwire," "routecraft," "endpointmap," "bytecraft," and "staticlayer" — that deliver a Windows dropper binary from an external server and execute it during npm install; the packages list each other as dependencies in ways that chain installation, and "staticlayer" is designed to run server-side and deliver files to clients presenting the dropper’s exact User-Agent.
What this means for developers and defenders
JFrog highlighted the tactic used by the author: packaging a small, parser-like library that appears related to legitimate build tooling and leverages lookalike names to exploit trust. As JFrog put it, “This case shows how a small parser-like package can hide a multi-stage Windows payload while appearing related to legitimate build tooling with massive weekly usage. For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms, not just harmless naming noise.”
Practical actions stated in the reporting for anyone who installed the packages are straightforward and immediate: remove the packages, remove any artifacts they created, and rotate credentials from impacted developer machines.
Overlap with other supply-chain activity and a blockchain-enabled delivery
The findings also coincide with reporting of a separate supply chain attack against the "gonex-AI/Understand-Anything" knowledge graph tool that pushes a malicious payload which beacons to one of three hardcoded C2 servers, exfiltrates a campaign marker, XOR-decrypts and evaluates a downloaded bot client, and then resolves a second-stage command via a Tron blockchain address whose latest transaction encodes a BSC transaction hash carrying the active payload. SafeDep further described activity overlapping with a North Korean supply chain operation dubbed PolinRider that injected obfuscated JavaScript into nearly 2,000 compromised GitHub repositories to deliver a downloader and stealer called BeaverTail and an eventual backdoor named InvisibleFerret. As SafeDep summarized, “This attack combines three things that individually are familiar but together open a detection gap: an elaborate fake PR description with fabricated test evidence, a diff that hides its payload in horizontal whitespace, and a two-stage C2 where the second stage uses public blockchain infrastructure as a write-once, read-anywhere relay.”
These discoveries reinforce a concrete point in the JFrog analysis: lookalike package names and parser-like modules are not mere naming noise — they are a delivery channel. For organizations that build in JavaScript and TypeScript, that channel remains open today: the identified packages were still available on npm at the time of publication, and defenders are left to decide how aggressively to police dependencies versus disrupting developer workflows.
