A recent investigation has unveiled a sophisticated malware campaign that targets Windows systems via a cleverly disguised package on the npm registry. This malicious package masquerades as a legitimate CSS build tool, but in reality, it stealthily installs a fully functional Remote Access Trojan (RAT) on developer machines.
The infection process begins with a typosquatted npm package named postcss-minify-selector-parser, which is designed to mimic the well-established postcss-selector-parser, a package that boasts over 150 million weekly downloads. When developers unwittingly install this counterfeit package, a hidden encoded blob within the entry file triggers a multi-stage attack chain.
As the attack unfolds, the payload ultimately deploys a Windows RAT capable of stealing credentials, executing shell commands, and establishing communication with a remote attacker. Security researchers at JFrog identified this threat and shared their findings in a detailed report published on June 22, 2026, with Cyber Security News (CSN). Their investigation also revealed two additional related packages, postcss-minify-selector and aes-decode-runner-pro, all linked to the same npm publisher. At the time of the report, these packages remained live and accessible on the registry.
Windows RAT Uses Encrypted HTTP C2 and Registry Persistence
The sophistication of this campaign lies in its ability to blend seamlessly into the development environment. The fake package employs identical keywords and even depends on the genuine postcss-selector-parser, making it easy to overlook during routine dependency audits. Developers engaged in fast-paced projects, particularly those who do not audit transitive dependencies, are at heightened risk, as the attackers have clearly understood the dynamics of trust within open-source ecosystems.
The true extent of the damage becomes apparent only after the complete payload chain executes. A PowerShell downloader retrieves a ZIP archive from a lookalike domain, extracts its contents, and initiates a VBS script to activate the RAT. This final implant operates as a bundled Python application compiled with Nuitka, complicating inspection efforts compared to typical script-based threats.
Once the RAT is active on a victim’s machine, it establishes a connection with a command-and-control (C2) server over HTTP. All communications are encrypted using RC4/ARC4 wrapping with MD5 checksum material, rendering it difficult to detect at the network level. The RAT sends an initial host profile to the C2 and enters a loop, awaiting commands from the attacker.
To ensure persistence across reboots, the malware creates a registry key under the Windows Run key, using the entry name csshost. It also stores a persistent victim UUID and host configuration in files placed in the TEMP directory, allowing the RAT to reconnect automatically the next time the machine starts, even if the attacker loses contact.
This RAT boasts a wide array of capabilities, including remote shell execution, file upload and download, randomized sleep commands, and virtual machine detection. The evasion techniques employed, such as WMI queries and MAC address prefix matching, indicate a threat actor with considerable technical acumen and operational experience.
Chrome Credential Theft and Exfiltration
In addition to remote control functionalities, the RAT features a dedicated module for stealing saved login data from Google Chrome. It accesses Chrome’s local profile files, including the Login Data SQLite database, and utilizes Windows decryption APIs to unlock stored passwords. Notably, it can also handle newer Chrome app-bound encryption, posing a threat even to recently protected credentials.
The auto.pyd module collects data from Chrome extensions, packaging the results into an in-memory archive before exfiltration. Output file references found within the binary, such as chromeloginsdump.txt and gather.tar.gz, suggest that the attacker designed this malware for organized batch exfiltration. This presents a significant and immediate risk for developers who store API keys, tokens, or credentials in their browsers.
JFrog advises anyone who has installed packages from this cluster to remove them immediately and to inspect their full dependency trees for potential risks. Security teams are urged to block network indicators associated with this campaign and to search endpoints for related file paths and executables. All browser-stored credentials and development tokens on affected machines should be treated as compromised and rotated without delay.
Indicators of Compromise (IoCs):
| Type | Indicator | Description |
|---|---|---|
| IP Address | 95[.]216[.]92[.]207 | C2 server IP address |
| Domain | nvidiadriver[.]net | Payload delivery domain |
| URL | hxxp[:]//95[.]216[.]92[.]207:8080 | C2 communication endpoint |
| URL | hxxp[:]//nvidiadriver[.]net/verv1432/winpatch-xd7d[.]win | Payload download URL |
| File Path | %TEMP%winPatch.zip | Downloaded malware archive |
| File Path | %TEMP%winPatchupdate.vbs | VBS bootstrapper file |
| File Path | %TEMP%.store | Persistent victim UUID storage |
| File Path | %TEMP%.host | Host configuration storage |
| Registry Key | HKCUSoftwareMicrosoftWindowsCurrentVersionRuncsshost | RAT persistence registry entry |
| File Name | win-driver-xd7d/chost.exe | Renamed Python launcher |
| File Name | win-driver-xd7d/loader.py | Python loader script |
| File Name | win-driver-xd7d/api.cp310-winamd64.pyd | HTTP C2 packet exchange module |
| File Name | win-driver-xd7d/audiodriver.cp310-winamd64.pyd | Main RAT orchestration module |
| File Name | win-driver-xd7d/auto.cp310-winamd64.pyd | Chrome credential theft module |
| File Name | win-driver-xd7d/command.cp310-winamd64.pyd | Host actions and shell execution module |
| File Name | win-driver-xd7d/config.cp310-winamd64.pyd | RAT configuration module |
| File Name | win-driver-xd7d/util.cp310-winamd64.pyd | Archive helper module |
| SHA-256 | 164e322d6fbc62e254d73583acd7f39444c884d3f5e6a5d27db143fc25bc88b3 | audiodriver.cp310-winamd64.pyd |
| SHA-256 | 50ffce607867d8fa8eaf6ef5cd25a3c0e7e4415e881b9e55c04a67bcddb74fdf | api.cp310-winamd64.pyd |
| SHA-256 | 17832aa629524ef6e8d8d6e9b6b902a8d324b559e3c36dbd0e221ab1690be871 | auto.cp310-winamd64.pyd |
| SHA-256 | c8075bbff748096e1c6a1ea0aa67bb6762fdd7551427a12425b35b94c1f1ecf2 | command.cp310-winamd64.pyd |
| SHA-256 | f6669bd504ce6b0e303be7ee47f2ebbc062989c88c41f0a3f436044a24869798 | config.cp310-winamd64.pyd |
| SHA-256 | 282b9bc318ad1234cbd1b86424b784299b8be31545802a7c6b751166b814b990 | util.cp310-winamd64.pyd |
| npm Package | postcss-minify-selector-parser (XRAY-1002983) | Primary malicious npm package |
| npm Package | postcss-minify-selector (XRAY-1003986) | Related malicious npm package |
| npm Package | aes-decode-runner-pro (XRAY-989675) | Related AES decoder package |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
