What is the name of the malicious npm package discovered?

The malicious npm package discovered is named postcss-minify-selector-parser.

Which widely used PostCSS tool does the malicious package impersonate?

The malicious package impersonates the widely used PostCSS library, postcss-selector-parser.

What kind of payload was hidden in the malicious npm package?

The malicious npm package contained a sophisticated, layered Windows implant.

How many times was the malicious npm package downloaded before discovery?

The malicious npm package had been downloaded 615 times before being discovered.

Why is the npm ecosystem vulnerable to supply chain attacks?

The npm ecosystem is vulnerable to supply chain attacks due to its popularity and the use of social engineering tactics.

Malicious npm Package Discovered: PostCSS-Minify-Selector-Parser Delivers Windows RAT

A fake PostCSS tool, postcss-minify-selector-parser, was found to deliver a multi-stage Windows remote access trojan (RAT) to developer machines. The package had been downloaded 615 times before discovery.

A malicious npm package has been discovered impersonating a widely used PostCSS tool, delivering a multi-stage Windows remote access trojan (RAT) to developer machines. The package, named postcss-minify-selector-parser, was designed to evade quick dependency reviews and blend in with the legitimate library's keyword space.

The discovery highlights the ongoing threat of supply chain attacks on the npm ecosystem, where malicious packages can be used to compromise developer machines and steal sensitive information. In this case, the package was published by an unknown user over the past month and had been downloaded 615 times before being discovered.

What Happened

The malicious package, postcss-minify-selector-parser, was designed to mimic the widely used PostCSS library, postcss-selector-parser. It reused the same keyword space (postcss, selector, parser, css) and depended on the real package to appear credible during quick dependency reviews. The package's name was plausibly close enough to evade cursory inspection while still being distinct from the legitimate library.

According to JFrog, static analysis of the package revealed a surprising payload hidden behind a large encoded blob in src/config/defaults.js, which is loaded immediately when index.js is required. The downloaded bundle was a sophisticated, layered Windows implant containing a bundled Python runtime, a renamed Python launcher chost.exe, Nuitka-compiled Python extension modules (.pyd), and supporting files such as python310.dll and dll.zip.

The VBS bootstrapper extracted dll.zip and executed chost.exe loader.py, which behaved equivalently to running Python on loader.py. The loader imported audiodriver (a compiled module) to begin the RAT logic. Analysis of embedded RT_RCDATA resources and module names allowed reconstruction of the malware's structure and command flow.

Background and Context

The npm ecosystem has been plagued by supply chain attacks in recent years, where malicious packages are published on the registry and used to compromise developer machines. These attacks often rely on social engineering tactics, such as convincing developers to install a package that appears to be legitimate but is actually malicious.

PostCSS is a widely used library for CSS processing, with over 150 million weekly downloads. Its popularity makes it an attractive target for attackers looking to compromise developer machines and steal sensitive information.

Why It Matters to the Industry

The discovery of this malicious package highlights the ongoing threat of supply chain attacks on the npm ecosystem. Developers in the adult industry, who rely heavily on npm packages to build and deploy their applications, are particularly vulnerable to these types of attacks.

The use of PostCSS and other popular libraries makes it difficult for developers to detect malicious packages. The package's name was plausibly close enough to evade cursory inspection while still being distinct from the legitimate library, making it a challenging threat to mitigate.

What Comes Next

The discovery of this malicious package serves as a reminder of the importance of secure development practices and regular security audits. Developers in the adult industry must remain vigilant and take steps to protect themselves against supply chain attacks.

Npm, Inc., the company behind the npm registry, has not commented on the discovery of this malicious package. However, it is likely that they will take steps to mitigate the threat and prevent similar attacks in the future.

Key Facts

The malicious package, postcss-minify-selector-parser, was designed to mimic the widely used PostCSS library, postcss-selector-parser.
The package reused the same keyword space (postcss, selector, parser, css) and depended on the real package to appear credible during quick dependency reviews.
The package had been downloaded 615 times before being discovered.
The downloaded bundle was a sophisticated, layered Windows implant containing a bundled Python runtime, a renamed Python launcher chost.exe, Nuitka-compiled Python extension modules (.pyd), and supporting files such as python310.dll and dll.zip.
The VBS bootstrapper extracted dll.zip and executed chost.exe loader.py, which behaved equivalently to running Python on loader.py.