JFrog researchers discovered three malicious npm packages — aes-decode-runner-pro, postcss-minify-selector and postcss-minify-selector-parser — that masquerade as legitimate build tools and deliver a multi-stage Windows remote access trojan (RAT). The packages exploit developers’ trust in the PostCSS ecosystem: the name postcss-minify-selector-parser imitates postcss-selector-parser, a legitimate library with more than 127 million weekly downloads. In total, the malicious packages were downloaded over 1,000 times. Developers who have installed any of these packages must immediately remove them, clean up artifacts, and rotate all credentials on affected machines.
Attack mechanism: from npm install to a full-featured RAT
According to the researchers, all three packages were published over the last month by the user abdrizak. The aes-decode-runner-pro and postcss-minify-selector-parser packages present themselves as AES encoding utilities and depend on the legitimate postcss-selector-parser. The postcss-minify-selector package is positioned as a CSS selector minifier and depends on postcss-minify-selector-parser. Regardless of which of the three packages is installed, the attack chain results in deployment of the same malware.
The infection chain consists of several stages:
- A built-in JavaScript dropper writes a PowerShell script named
settings.ps1to disk and executes it. - The PowerShell loader downloads the next stage from the external server
nvidiadriver[.]netusingcurl.exe. - The downloaded ZIP archive contains a VBS file
update.vbs, a Python runtime, the loaderloader.py, and a set of compiled Python modules (.pyd) built with Nuitka. - The VBS script sets up the Python environment and launches
loader.py, which activates the main RAT logic.
Modular trojan architecture
The RAT is implemented as a set of native Python modules, each responsible for a separate function:
- config.pyd — constants, command identifiers, C2 server URLs, registry key names
- api.pyd — packet exchange with the C2 server over HTTP
- audiodriver.pyd — main RAT orchestration loop (name chosen for camouflage)
- command.pyd — host profiling, virtual machine checks, file transfer, shell command execution
- auto.pyd — theft of Google Chrome credentials and extension data with App-Bound Encryption (ABE) bypass
- util.pyd — helper functions for working with tar/gzip archives
Bypassing ABE — Chrome’s protection mechanism that binds encryption to a specific application — makes this RAT particularly dangerous for developers who store passwords and access tokens for repositories, CI/CD systems, and cloud services in the browser.
Indicators of compromise
- C2 server:
95.216.92[.]207:8080 - Payload download domain:
nvidiadriver[.]net
Wave of attacks on the npm supply chain
The discovery of these packages coincides with several other campaigns targeting the npm ecosystem, pointing to systemic growth of supply-chain attacks via package managers:
- According to SafeDep, the apintergrationpost package delivers a Linux RAT called MYRA. Reportedly, it compiles a native C rootkit at install time, creates three persistence mechanisms, masquerades as a systemd service, and supports fileless execution.
- According to SafeDep, the @withgoogle/stitch-sdk package imitates the Google Stitch AI tool and steals developer credentials from eight sources: Claude Code, git config, ~/.git-credentials, SSH keys, GitHub CLI, npm config, ~/.npmrc, and ~/.docker/config.json. The data is sent to the domain
stitch-production[.]org. - A cluster of five packages (procwire, routecraft, endpointmap, bytecraft, staticlayer) that deliver and run a dropper on Windows hosts when npm install is executed.
Separately, SafeDep recorded a supply-chain attack via the Egonex-AI/Understand-Anything project, where malicious code uses the Tron blockchain as its command-and-control infrastructure — the address of the latest transaction encodes the hash of a BSC transaction with an active payload.
Impact assessment
Despite the relatively small number of downloads (around 1,016 in total), the main risk lies in the target audience: the packages are aimed at developers using PostCSS, one of the most popular CSS processing tools. Compromising a developer machine opens access to private repositories, CI/CD secrets, cloud provider tokens, and signing keys. The auto.pyd module, which specializes in stealing Chrome data including extensions, can extract tokens from password managers and authentication sessions.
The use of the domain nvidiadriver[.]net to download the payload is a classic social engineering technique: the domain name mimics legitimate NVIDIA software and may not raise suspicion during a cursory review of network traffic.
Response recommendations
- Review project dependencies for the presence of aes-decode-runner-pro, postcss-minify-selector, postcss-minify-selector-parser, apintergrationpost, @withgoogle/stitch-sdk, procwire, routecraft, endpointmap, bytecraft, staticlayer.
- Remove malicious packages and all artifacts:
settings.ps1,update.vbs,loader.pyfiles, directories with the Python runtime, and.pydmodules. - Check network connections to
95.216.92[.]207:8080,nvidiadriver[.]net, andstitch-production[.]orgin proxy and DNS logs. - Rotate all credentials on affected machines: Chrome passwords, SSH keys, GitHub/npm/Docker tokens, CI/CD secrets.
- Implement dependency review policies: use audit tools (npm audit, Socket, Snyk) and block installing unvetted packages using lockfiles and allowlist-based package policies.
- Configure monitoring for PowerShell and wscript.exe execution from node_modules directories — this is abnormal behavior for npm packages.
This case clearly demonstrates that even a small auxiliary package mimicking a popular build dependency can conceal a full-scale multi-stage attack. The key actions for development teams are to immediately check their projects for the listed packages, block the specified indicators of compromise at the network infrastructure level, and introduce automated dependency auditing as a mandatory step in the CI/CD pipeline.
