Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords

Summary

JFrog has identified three malicious npm packages designed to impersonate the legitimate PostCSS tooling. These packages, published under the name abdrizak, employ a multi-stage infection process that ultimately deploys a Windows Remote Access Trojan (RAT). The RAT is designed to steal saved usernames and passwords from Google Chrome by bypassing its encryption mechanisms.

Full text

Security MalwareFake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords JFrog warns of malicious npm packages that mimic PostCSS tooling, drop a Windows RAT, and target Chrome-stored passwords through a staged infection setup route. byDeeba AhmedJune 24, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Cybersecurity research firm JFrog reveals a new technique in its latest report that cybercriminals are using to target software developers, tricking them into downloading remote access trojans (RATs). This operation relies on an attack method called package impersonation, in which malicious packages are uploaded as trusted utilities to attract developers. According to JFrog’s investigation, attackers have uploaded three connected malicious packages onto the npm registry to get developers to install them by mistake. The primary fake package is named postcss-minify-selector-parser. It looks almost identical to postcss-selector-parser, a highly popular legitimate utility with over 150 million weekly downloads. Because the fake tool shares similar keywords and lists the genuine package as a dependency, it easily bypasses basic code reviews. JFrog found that an npm user named abdrizak published this code along with two other interconnected packages: postcss-minify-selector and aes-decode-runner-pro. The Multi-Stage Infection When a developer imports the fake package, the code immediately reads an encrypted text block inside a defaults file rather than running normal parsing functions. The package decodes this block using AES-256-GCM decryption, which runs a JavaScript dropper that saves and executes a PowerShell script named settings.ps1. This PowerShell script downloads a file from nvidiadriver.net, a domain built to look like an official graphics driver site. The downloaded ZIP archive, disguised as a Windows patch, unpacks inside the local temporary directory. A VBScript file named update.vbs then boots up a hidden Python environment and runs compiled extension modules like audiodriver.pyd and command.pyd, and this launches a Remote Access Trojan (RAT), which then connects to a C2 server. Stealing Saved Data The Trojan sets up permanent access on the computer via the Windows Registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It checks if it is running inside a virtual machine setup to evade security analysts, executes background shell commands, and handles direct file transfers. The primary target of the attack is Google Chrome. A module named auto.pyd searches for saved login databases and Chrome profile paths. It contains specific functions to bypass newer Chrome app-bound encryption rules to extract stored usernames and passwords directly. JFrog recommends that developers remove these three packages, search their system temporary folders for files named winPatch, .store, or .host, and change all passwords stored in their web browsers. “This case shows how a small parser-like package can hide a multi-stage Windows payload while appearing related to legitimate build tooling with massive weekly usage. For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms, not just harmless naming noise,” researchers conclude. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ChromeCyber AttackCybersecurityJFrogNPMPasswordPostCSSRATScamsecurityWindows Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Attacks Security Firm recall webcams after confirming involvement in Dyn DDoS attack The webcams played a role in the massive DDoS attacks on Dyn servers and now the company is recalling… byWaqas Read More Malware Security CastleLoader Malware Now Uses Python Loader to Bypass Security Cybersecurity researchers at Blackpoint Cyber discovered a new, evasive CastleLoader malware variant using Python and ClickFix social engineering to deliver RATs and info-stealers directly from memory. byDeeba Ahmed Read More Security Malware Scams and Fraud Fake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users Fake Anthropic websites are being used to target Claude Code users with a fileless infostealer campaign that steals browser credentials and evades detection. byDeeba Ahmed Read More Security Malware Microsoft Microsoft’s Retired IE Tool MSHTA Now Being Used in Fileless Malware Attacks Despite Internet Explorer’s retirement, hackers are abusing the legacy MSHTA utility in stealthy fileless malware attacks targeting Windows users. byDeeba Ahmed

Indicators of Compromise

• domain — nvidiadriver.net
• malware — RAT
• mitre_attack — T1059.003
• mitre_attack — T1547.001
• mitre_attack — T1071.001
• mitre_attack — T1055.001
• mitre_attack — T1555.003

Entities