{"id":279590,"date":"2026-06-23T04:54:00","date_gmt":"2026-06-23T08:54:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/malicious-npm-packages-pose-as-postcss-tools-to-deliver-windows-rat\/"},"modified":"2026-06-23T11:15:07","modified_gmt":"2026-06-23T15:15:07","slug":"malicious-npm-packages-pose-as-postcss-tools-to-deliver-windows-rat","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/malicious-npm-packages-pose-as-postcss-tools-to-deliver-windows-rat\/","title":{"rendered":"Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/malicious-npm-packages-pose-as-postcss.html\">Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/malicious-npm-packages-pose-as-postcss.html\">https:\/\/thehackernews.com\/2026\/06\/malicious-npm-packages-pose-as-postcss.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-23 04:54:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 23, 2026<\/span><\/span><span class=\"p-tags\">Supply Chain Attack \/ Developer Security<\/span><\/p>\n<p>Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT).<\/p>\n<p>The list of identified packages, is below &#8211;<\/p>\n<ul>\n<li>aes-decode-runner-pro (145 downloads)<\/li>\n<li>postcss-minify-selector (256 downloads)<\/li>\n<li>postcss-minify-selector-parser (615 downloads)<\/li>\n<\/ul>\n<p>All the packages were published over the past month by an npm user named &#8220;abdrizak&#8221; and continue to be available for download from npm as of writing.\u00a0<\/p>\n<p>&#8220;Aes-decode-runner-pro and postcss-minify-selector-parser both present themselves as layered AES\/custom-codec packages and depend on the legitimate postcss-selector-parser,&#8221; JFrog said in an analysis. &#8220;Postcss-minify-selector presents itself as a PostCSS selector minifier and depends on postcss-minify-selector-parser.&#8221;<\/p>\n<p>As for &#8220;postcss-minify-selector-parser,&#8221; the name is a reference to &#8220;postcss-selector-parser,&#8221; a widely used npm library with more than 127 million weekly downloads. Regardless of the package downloaded, the attack chain leads to the deployment of the same Windows malware.<\/p>\n<p>The packages come embedded with a JavaScript dropper that writes a PowerShell script (&#8220;settings.ps1&#8221;) to disk and executes it. The PowerShell script then acts as a downloader for a next-stage payload retrieved from an external server (&#8220;nvidiadriver[.]net&#8221;) using the &#8220;curl.exe.&#8221;<\/p>\n<p>The retrieved payload is a ZIP archive, from which a Visual Basic Script (&#8220;update.vbs&#8221;) file is extracted and run using &#8220;wscript.exe.&#8221; Also bundled in the downloaded ZIP file is a Python runtime, a Python loader (&#8220;loader.py&#8221;), and a number of Python extension modules (*.pyd) compiled using Nuitka.<\/p>\n<p>Visual Basic is responsible for setting up the Python environment on the compromised host and launching the &#8220;loader.py&#8221; script, which then triggers the core logic of the malware. The RAT is equipped to gather host information, siphon credentials from Google&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/malicious-npm-packages-pose-as-postcss.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT https:\/\/thehackernews.com\/2026\/06\/malicious-npm-packages-pose-as-postcss.html Publish Date: 2026-06-23&#8230;<\/p>\n","protected":false},"author":1,"featured_media":279591,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENcFC1DFPXKuRCT_WmSwq-wpzC8IcZUdZzu5IHi597n77W8LFs9qSUdDPCuMK9QzkRZEBMbBh4p2xhnI1OXZu4akIgR5suIv_yRA7AtEkojDcyXaU5x0UiZKRDRvTn0n0wy9HIQnhJj9zUO0rpemNOFNZEmMl4NQsCj5aDEpDrqXUkivsOX1QoLRqeKZh\/s1600\/npmm.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-279590","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279590"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=279590"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279590\/revisions"}],"predecessor-version":[{"id":279592,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279590\/revisions\/279592"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/279591"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=279590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=279590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=279590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}