Typosquatted npm Package Delivers Windows RAT via Encrypted HTTP C2 and Registry Persistence

A newly discovered malware campaign is targeting Windows systems through a deceptive package on the npm registry. Disguised as a legitimate CSS build tool, the malicious package quietly installs a full-featured Remote Access Trojan, or RAT, on developer machines. The attack is subtle, well-crafted, and far more dangerous than it first appears.

The infection begins with a typosquatted npm package called postcss-minify-selector-parser, designed to look like the widely trusted postcss-selector-parser, which sees over 150 million weekly downloads. When a developer installs the fake package, a hidden encoded blob inside the entry file kicks off a multi-stage attack chain. The payload eventually drops a Windows RAT capable of stealing credentials, running shell commands, and communicating with a remote attacker.

Security researchers at JFrog identified the threat and published a detailed analysis on June 22, 2026, in a report shared with Cyber Security News. The investigation also uncovered two related packages, postcss-minify-selector and aes-decode-runner-pro, all tied to the same npm publisher. At the time of the report, all three packages were still live and accessible on the registry.

What makes this campaign stand out is how carefully it blends in. The fake package uses the same keywords and even depends on the real postcss-selector-parser, making it easy to miss during a routine dependency review. Developers in fast-moving projects who do not audit transitive dependencies are especially at risk, and the attacker clearly understood how trust operates in open-source ecosystems.

The real damage only becomes clear after the full payload chain executes. A PowerShell downloader fetches a ZIP archive from a lookalike domain, extracts it, and launches a VBS script to start the RAT. The final implant runs as a bundled Python application compiled with Nuitka, making it much harder to inspect than a typical script-based threat.

Once the RAT is running on a victim machine, it establishes contact with a command-and-control, or C2, server over HTTP. All traffic is encrypted using RC4/ARC4 wrapping with MD5 checksum material, making it difficult to detect on a network level. The RAT sends an initial host profile to the C2 and then enters a loop, waiting for commands from the attacker. To survive reboots, the malware writes a registry persistence key using the entry name csshost under the Windows Run key. It also stores a persistent victim UUID and host configuration in files dropped in the TEMP directory.

The RAT supports a wide range of capabilities including remote shell execution, file upload and download, randomized sleep commands, and virtual machine detection. The VM checks use WMI queries and MAC address prefix matching to avoid triggering sandbox analysis environments. This level of evasion design points to a threat actor with deliberate technical planning and real operational experience.

Beyond remote control, the RAT includes a dedicated module for stealing saved login data from Google Chrome. It accesses Chrome's local profile files, including the Login Data SQLite database, and uses Windows decryption APIs to unlock stored passwords. It also handles newer Chrome app-bound encryption, meaning even recently protected credentials are not safe. The auto.pyd module also collects Chrome extension data, packaging results into an in-memory archive before sending it out. For developers who store API keys, tokens, or credentials in their browsers, this is a serious and immediate threat.

JFrog recommends that anyone who installed packages from this cluster remove them right away and inspect full dependency trees for transitive risks. Security teams should block the network indicators tied to this campaign and search endpoints for related file paths and executables. All browser-stored credentials and development tokens on affected machines should be treated as compromised and rotated without delay.