Close Menu
Most Read

Malicious npm Packages Obfuscate RAT Delivery via PostCSS Tools

Staff WriterBy No Comments2 Mins Read2 Views

Fast Facts

  1. Malicious npm packages like "aes-decode-runner-pro" and "postcss-minify-selector-parser" embed JavaScript droppers that deliver a sophisticated Windows RAT capable of credential theft, data exfiltration, and remote command execution via a hidden multi-stage payload involving PowerShell, Python, and Visual Basic scripts.
  2. Attackers are exploiting legitimate-seeming packages to conceal multi-stage malware, leveraging dependencies on popular libraries like "postcss-selector-parser" to deceive users while deploying high-functionality remote access tools.
  3. Newly observed supply chain campaigns utilize advanced techniques such as blockchain-based command and control, obfuscated payloads in code diffs, and multi-platform malware deployment to evade detection and compromise developer ecosystems.

Threat, Attack Techniques, and Targets

Cybersecurity researchers found malicious npm packages pretending to be PostCSS tools. These packages are named “aes-decode-runner-pro,” “postcss-minify-selector,” and “postcss-minify-selector-parser.” They were published in the past month by a user named “abdrizak.” All packages are still available for download.

These packages look like legitimate build tools. “Aes-decode-runner-pro” and “postcss-minify-selector-parser” appear as layered AES encryption or custom-codec packages. They rely on the real “postcss-selector-parser” library. Others, like “postcss-minify-selector,” claim to minify CSS selectors.

Once downloaded, the packages run a JavaScript dropper. This dropper writes a PowerShell script (“settings.ps1”) to disk and executes it. The script downloads a ZIP archive from an external server (“nvidiadriver[.]net”). Inside the ZIP, there is a Visual Basic Script (“update.vbs”), a Python runtime, and Python modules (.pyd files).

The Visual Basic script sets up a Python environment and runs “loader.py.” The core malware then starts. This malware functions as a Windows RAT. It can collect host information, steal Chrome credentials and extensions, run shell commands, and communicate with a command-and-control (C2) server (“95.216.92[.]207:8080”).

Impact, Security Implications, and Remediation Guidance

This campaign poses serious security risks. The malware can steal sensitive data and control infected Windows systems remotely. The use of well-known npm packages as delivery methods makes detection harder. Additionally, the attack can compromise developer environments and build processes.

For affected users, immediate removal of these malicious packages is advised. Also, they should delete any files or artifacts created during infection. Changing credentials on impacted developer machines is recommended.

Since detailed removal steps are not provided, organizations should contact their security vendors or authorities. They can help with specific remediation guidance and detection strategies accordingly.

Stay Ahead with the Latest Tech Trends

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Stay inspired by the vast knowledge available on Wikipedia.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.