Breaking
Live threat feed July 2, 2026 | 17:16 UTC
408 CVEs This Month
1 Actively Exploited
0 Ransomware Activity
28 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

Malicious npm Packages Discovered Delivering Windows RAT

Malicious npm Packages Discovered Delivering Windows RAT

Cybersecurity researchers identified a set of malicious npm packages that pose as PostCSS tools but are designed to deliver a Windows-based remote access trojan (RAT). The malicious packages, published within the past month by a single npm user, have been downloaded between 145 and 615 times each.

What happened

Researchers found several npm packages used to distribute a Windows RAT by disguising them as legitimate PostCSS-related tools. The discovered packages include aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser, with download counts ranging from 145 to over 600 since their publication. All packages were published recently by the same npm user account, suggesting a coordinated campaign.

Why it matters

This incident highlights ongoing risks associated with software supply chain attacks, where attackers inject malicious code into widely used development libraries. Compromise of npm packages can lead to unauthorized remote access on affected Windows systems, exposing organizations to data breaches, espionage, or further compromise. The presence of malware in packages mimicking popular tools can undermine developer trust in open-source ecosystems.

What security teams should do

Security teams should review their dependencies and identify use of the affected npm packages or related suspicious packages. Removing or replacing these packages, and verifying the integrity of software components, is essential. Monitoring endpoint activity for signs of RAT infections, such as unusual network connections or remote control indicators, can help with early detection. Organizations may also consider implementing strict dependency policies and using automated tools to scan for malicious packages in the supply chain.

Key technical details

The malicious npm packages were designed to act as decoy versions of PostCSS tools, a popular CSS processing library. Upon installation, these packages deliver a Windows-based remote access trojan capable of granting an attacker control over infected machines. The packages were published over the last month by the same npm user account and have accumulated hundreds of downloads independently. Details about the specific RAT capabilities or infection vectors beyond the package disguises were not disclosed.

Affected organizations/products

The affected packages are aes-decode-runner-pro (145 downloads), postcss-minify-selector (256 downloads), and postcss-minify-selector-parser (615 downloads). These packages are part of the npm repository and have been recently published by a single user. The threat targets Windows systems through infected development dependencies.

Source attribution

https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!