Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Malicious npm packages masquerading as PostCSS tools were discovered on March 10, 2024, by security researchers, designed to deploy a Windows remote access trojan (RAT). The identified packages include "aes-decode-runner-pro" with 145 downloads, "postcss-minify-selector" with 256 downloads, and "postcss-minify-selector-parser" with 615 downloads. These packages were uploaded to the npm registry within the last month by a user identified only as "npm user". The primary objective of these packages is to compromise Windows systems by installing the RAT, allowing attackers to gain unauthorized remote control. The use of seemingly legitimate names related to PostCSS, a popular CSS processing tool, aims to trick developers into installing the malicious code. This incident highlights the ongoing threat of supply chain attacks within the software development ecosystem, where malicious actors exploit trusted package managers to distribute malware.