• Home
  • cyber
  • npm: Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords
cyber Cyber Attack

npm: Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords

Jun 24, 2026 2 min read
npm: Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords

Cybercriminals Exploit npm Packages to Deploy RATs Targeting Developers

Cybersecurity firm JFrog uncovered a sophisticated attack campaign leveraging package impersonation to distribute remote access trojans (RATs) via the npm registry. Attackers uploaded three malicious packages postcss-minify-selector-parser, postcss-minify-selector, and aes-decode-runner-pro designed to mimic legitimate tools and deceive developers.

The primary malicious package, postcss-minify-selector-parser, closely resembles the widely used postcss-selector-parser (150M+ weekly downloads), sharing similar keywords and listing the genuine package as a dependency. Published by an npm user named abdrizak, the fake package evades detection by appearing as a routine build utility.

Multi-Stage Infection Chain

When installed, the package executes an AES-256-GCM-encrypted payload from a defaults file, triggering a JavaScript dropper that runs a PowerShell script (settings.ps1). This script downloads a ZIP archive from nvidiadriver.net, a spoofed domain impersonating an official graphics driver site. The archive, disguised as a Windows patch, extracts to the temporary directory and launches a VBScript (update.vbs), which activates a hidden Python environment running compiled modules (audiodriver.pyd, command.pyd).

The final payload a RAT establishes persistence via the Windows Registry run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), checks for virtual machines to evade analysis, and executes background commands. A module (auto.pyd) specifically targets Google Chrome, bypassing app-bound encryption to extract stored usernames and passwords from saved login databases.

JFrog’s findings highlight how attackers exploit trusted dependency ecosystems to deliver malware under the guise of legitimate tools. The incident underscores the risks of lookalike packages in open-source registries, where even minor naming similarities can serve as effective delivery vectors.

Source: https://hackread.com/fake-npm-packages-postcss-tool-steal-chrome-password/

npm TPRM report: https://www.rankiteo.com/company/npm-inc-

"id": "npm1782311118",
"linkid": "npm-inc-",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Software Development',
                        'location': 'Global',
                        'name': 'Developers using npm',
                        'type': 'Individuals/Organizations'}],
 'attack_vector': 'Malicious npm Packages',
 'data_breach': {'data_encryption': 'AES-256-GCM (payload encryption)',
                 'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Credentials (usernames and '
                                             'passwords)'},
 'description': 'Cybersecurity firm JFrog uncovered a sophisticated attack '
                'campaign leveraging package impersonation to distribute '
                'remote access trojans (RATs) via the npm registry. Attackers '
                'uploaded three malicious packages '
                '(postcss-minify-selector-parser, postcss-minify-selector, and '
                'aes-decode-runner-pro) designed to mimic legitimate tools and '
                'deceive developers. The primary malicious package, '
                'postcss-minify-selector-parser, closely resembles the widely '
                'used postcss-selector-parser (150M+ weekly downloads) and '
                'evades detection by appearing as a routine build utility.',
 'impact': {'data_compromised': 'Stored usernames and passwords from Google '
                                'Chrome',
            'identity_theft_risk': 'High',
            'operational_impact': 'Potential unauthorized access to developer '
                                  'systems',
            'systems_affected': 'Developer workstations with infected npm '
                                'packages'},
 'initial_access_broker': {'backdoors_established': 'Windows Registry run key '
                                                    '(HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run)',
                           'entry_point': 'Malicious npm packages',
                           'high_value_targets': 'Google Chrome saved login '
                                                 'databases'},
 'investigation_status': 'Uncovered',
 'lessons_learned': 'Attackers exploit trusted dependency ecosystems to '
                    'deliver malware under the guise of legitimate tools. '
                    'Risks of lookalike packages in open-source registries can '
                    'serve as effective delivery vectors.',
 'motivation': 'Data Theft, Espionage',
 'post_incident_analysis': {'root_causes': 'Package impersonation, '
                                           'exploitation of trusted npm '
                                           'registry'},
 'references': [{'source': 'JFrog'}],
 'response': {'third_party_assistance': 'JFrog'},
 'title': 'Cybercriminals Exploit npm Packages to Deploy RATs Targeting '
          'Developers',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Package Impersonation'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.