Malicious npm packages masquerade as PostCSS tools to spread Windows RAT
Cybersecurity teams have flagged a trio of malicious npm packages that disguise themselves as legitimate PostCSS tools to sneak a Windows remote access trojan onto developers’ machines.
The packages—aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser—were uploaded to the npm registry over the past month by a single user account. In total, they have accumulated hundreds of downloads, indicating that unsuspecting developers may have already integrated them into build pipelines or development workflows.
A closer look at the disguise
These packages mimic the names and descriptions of popular PostCSS plugins, leveraging the reputation of a widely used CSS post-processor to slip past initial scrutiny. Once installed, the malicious code executes automatically during the build process, establishing a persistent backdoor on the host system. The payload is a Windows-based remote access trojan, granting attackers the ability to execute commands, exfiltrate data, or pivot to other systems within the same network.
Why this matters now
Supply-chain attacks through package registries like npm continue to escalate, exploiting trust in open-source ecosystems. Developers who rely on third-party packages for critical tooling face increased risk when malicious actors co-opt familiar project names. Security teams recommend auditing dependencies, verifying package publishers, and using automated scanning tools to detect suspicious code before integration.
Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.