From PostCSS Masquerading to Windows RAT
Essential information
- Published
- 23/06/2026 19:20
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential theft multistage npm nuitka postcss python rat supply chain typosquatting
- Related entities
- 9 indicators, 3 observables, 20 techniques (mitre)
Description
A sophisticated supply chain attack leverages typosquatting of the legitimate postcss-selector-parser npm package, which receives over 150 million weekly downloads. Three malicious packages published by user 'abdrizak' masquerade as PostCSS utilities while delivering a multi-stage Windows RAT. The infection chain begins with encoded JavaScript that drops PowerShell scripts, which then download a bundled Python runtime containing Nuitka-compiled modules. The final payload implements comprehensive RAT capabilities including HTTP C2 communication with RC4 encryption, registry persistence, VM detection, remote shell execution, file transfer, and Chrome credential theft using DPAPI and app-bound decryption. The attack demonstrates how build tooling dependencies can serve as delivery mechanisms for sophisticated Windows malware targeting developer environments.