Alanna
River

Malicious PostCSS-Themed npm Packages Deliver Windows RAT

Alanna River

Jun 29, 2026

4 min read

malicious npm packages

The "What Happened"

  • The Hacker News reported that researchers found malicious npm packages posing as PostCSS-related tools.
  • The identified packages were aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser.
  • The packages were published by an npm user named abdrizak and were still available on npm at the time of reporting.
  • The packages used JavaScript droppers to write and execute a PowerShell script named settings.ps1.
  • The PowerShell script downloaded a ZIP archive from nvidiadriver.net using curl.exe.
  • The ZIP archive contained update.vbs, a Python runtime, loader.py, and Python extension modules compiled with Nuitka.
  • The final Windows RAT could collect host information, steal Google Chrome credentials, collect Chrome extension data, run shell commands, and download or upload files through command-and-control infrastructure at 95.216.92.207:8080.
  • JFrog said the packages abused lookalike build-tool naming to hide a multi-stage Windows payload inside what appeared to be parser or PostCSS utility packages.

Attackers continue to exploit one of the weakest links in the software supply chain: developer trust. In the latest campaign, threat actors published PostCSS-themed npm packages that masqueraded as legitimate build utilities while concealing a multi-stage Windows remote access trojan (RAT).

Unlike opportunistic malware delivered through phishing emails or drive-by downloads, malicious npm packages execute as part of the software development workflow. That makes them particularly dangerous, as they can compromise developer workstations and potentially provide attackers with a foothold into engineering environments before the malicious activity is detected.

How the Attack Works

The attack begins when a developer installs one of the malicious npm packages, believing it to be a legitimate PostCSS utility. During execution, a JavaScript dropper writes a PowerShell script (settings.ps1) to disk and launches it, initiating the next stage of the infection chain.

The PowerShell script downloads a ZIP archive from attacker-controlled infrastructure and extracts multiple components, including:

  • A VBScript launcher (update.vbs)
  • A bundled Python runtime
  • A Python loader (loader.py)
  • Nuitka-compiled Python extension modules

The VBScript starts the embedded Python environment, allowing loader.py to load and execute the RAT without requiring Python to be installed on the victim’s system. Packaging the malware with its own runtime also helps the attackers maintain a consistent execution environment across compromised Windows endpoints.

Once active, the RAT performs a range of post-compromise activities, including:

  • Collecting host information to profile the infected system
  • Checking for virtualized environments, likely to evade sandbox-based analysis
  • Stealing Google Chrome credentials and browser extension data
  • Executing arbitrary shell commands received from the command-and-control (C2) server
  • Uploading and downloading files to support additional attacker objectives

This staged execution model enables attackers to keep the initial npm package relatively lightweight while retrieving the full payload only after the malicious package has been executed, reducing the likelihood of early detection during package inspection.

How Hexnode Helps Reduce the Risk

Defending against software supply chain attacks requires visibility into endpoint activity as well as control over the developer environment. While no single security control can prevent every malicious package from being installed, combining endpoint detection and response (XDR) with unified endpoint management (UEM) significantly reduces the attack surface and accelerates incident response.

Hexnode XDR provides security teams with visibility into suspicious endpoint behaviors associated with attacks like this, including:

  • Unusual PowerShell execution
  • Suspicious VBScript or Python processes spawned during package execution, import, test, or build activity.
  • Potential credential-theft or stealer activity, including suspicious process, file, or access patterns where telemetry supports detection
  • Unexpected outbound connections and other indicators of post-compromise activity
  • Investigation and response actions to help contain affected endpoints from a centralized console

At the same time, Hexnode UEM helps organizations strengthen the security posture of developer workstations by enabling administrators to:

  • Enforce approved application and software deployment policies
  • Maintain device compliance across managed endpoints
  • Keep operating systems and supported applications up to date through patch management
  • Perform remote management and remediation actions when suspicious activity is identified

Together, Hexnode XDR and Hexnode UEM help organizations reduce the likelihood that a malicious dependency can progress from an infected developer workstation to a broader compromise of engineering or production environments.

cybersecurity-kit
Featured Resource

Cybersecurity kit

This resource kit will help your company adopt the right cybersecurity strategy to secure your business.

Get the Resource kit

Key Takeaways

The PostCSS lookalike campaign demonstrates how a seemingly harmless package name can conceal a fully functional remote access trojan (RAT) capable of compromising developer workstations. As software supply chain attacks continue to evolve, organizations can no longer rely solely on package repositories to filter malicious dependencies before they reach development environments.

To reduce risk, enterprises should prioritize:

  • Package governance to limit the use of unverified or unauthorized dependencies
  • Endpoint telemetry that can identify suspicious process execution and post-compromise behavior
  • Rapid credential and secret rotation whenever a developer endpoint is suspected to be compromised
  • Continuous monitoring of developer workstations and CI/CD environments for anomalous activity

For security and IT teams, the objective extends beyond blocking a single malicious package. The broader challenge is ensuring that a compromised developer endpoint cannot become a gateway to source code, cloud infrastructure, or production systems.

Share

Alanna River

I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.