Cybersecurity researchers have identified a set of malicious npm packages that impersonate legitimate PostCSS development tools while delivering a sophisticated Windows-based remote access trojan (RAT). The packages—distributed under names resembling widely used CSS processing libraries—were published by a threat actor and remain publicly available on npm, despite exhibiting behavior consistent with active malware campaigns targeting developers.
The attack chain begins when developers install one of the compromised packages, which execute a JavaScript-based dropper during installation. This dropper writes a PowerShell script to disk and runs it, initiating a multi-stage infection process. The PowerShell component retrieves a compressed payload from an external command-and-control server, which is then unpacked into a mix of Visual Basic Script, Python runtime components, and compiled Python extensions designed to evade detection and establish control over the host system.
Once deployed, the malware enables full remote access capabilities, including credential theft from Google Chrome, system profiling, file exfiltration, command execution, and persistent communication with a remote C2 server. The modular architecture of the RAT relies on multiple Python native extensions responsible for orchestration, browser data theft, encryption handling, and system enumeration, allowing attackers to maintain flexible and stealthy control over infected machines.
Researchers warn that the campaign highlights the increasing sophistication of software supply-chain attacks targeting developer ecosystems such as npm. By disguising malicious packages as trusted build tools with high-download dependency chains, attackers exploit implicit trust in popular libraries to bypass scrutiny and security tools. The incident underscores the importance of dependency validation, install-time monitoring, and strict auditing of third-party packages in modern software development workflows.
The discovery coincides with a broader wave of npm ecosystem attacks involving credential theft tools, rootkits, and AI-related impersonation packages, reinforcing concerns that developer supply chains have become a primary target for multi-stage malware delivery and enterprise intrusion.
