Cybersecurity research firm JFrog reveals a new technique in its latest report that cybercriminals are using to target software developers, tricking them into downloading remote access trojans (RATs). This operation relies on an attack method called package impersonation, in which malicious packages are uploaded as trusted utilities to attract developers.
According to JFrog’s investigation, attackers have uploaded three connected malicious packages onto the npm registry to get developers to install them by mistake. The primary fake package is named postcss-minify-selector-parser. It looks almost identical to postcss-selector-parser, a highly popular legitimate utility with over 150 million weekly downloads.
Because the fake tool shares similar keywords and lists the genuine package as a dependency, it easily bypasses basic code reviews. JFrog found that an npm user named abdrizak published this code along with two other interconnected packages: postcss-minify-selector and aes-decode-runner-pro.
The Multi-Stage Infection
When a developer imports the fake package, the code immediately reads an encrypted text block inside a defaults file rather than running normal parsing functions. The package decodes this block using AES-256-GCM decryption, which runs a JavaScript dropper that saves and executes a PowerShell script named settings.ps1.
This PowerShell script downloads a file from nvidiadriver.net, a domain built to look like an official graphics driver site. The downloaded ZIP archive, disguised as a Windows patch, unpacks inside the local temporary directory.
A VBScript file named update.vbs then boots up a hidden Python environment and runs compiled extension modules like audiodriver.pyd and command.pyd, and this launches a Remote Access Trojan (RAT), which then connects to a C2 server.
Stealing Saved Data
The Trojan sets up permanent access on the computer via the Windows Registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It checks if it is running inside a virtual machine setup to evade security analysts, executes background shell commands, and handles direct file transfers.
The primary target of the attack is Google Chrome. A module named auto.pyd searches for saved login databases and Chrome profile paths. It contains specific functions to bypass newer Chrome app-bound encryption rules to extract stored usernames and passwords directly.
JFrog recommends that developers remove these three packages, search their system temporary folders for files named winPatch, .store, or .host, and change all passwords stored in their web browsers.
“This case shows how a small parser-like package can hide a multi-stage Windows payload while appearing related to legitimate build tooling with massive weekly usage. For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms, not just harmless naming noise,” researchers conclude.
