Full Report
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT). The list of identified packages, is below - aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads) All the packages were published over the past month by an npm user named
Analysis Summary
# Tool/Technique: Python-based Windows RAT (Nuitka-compiled)
## Overview
A multi-stage supply chain attack targeting Windows developers via typosquatted npm packages. The attack uses legitimate-sounding CSS and AES decoction tool names to deliver a sophisticated Python-based Remote Access Trojan (RAT) compiled into native Windows extension modules to evade detection.
## Technical Details
- **Type:** Malware (Remote Access Trojan / Spyware)
- **Platform:** Windows
- **Capabilities:** Infostealer, Shell Execution, File Transfer, VM Detection, Bypass App-Bound Encryption (ABE).
- **First Seen:** June 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027.002 - Obfuscation/Software Packing (Nuitka/PYD compilation)
- T1497.001 - Virtualization/Sandbox Evasion: System Checks
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP)
## Functionality
### Core Capabilities
- **Host Profiling:** Gathers detailed hardware and software information from the compromised host.
- **Credential Theft:** Specifically targets Google Chrome browser data, including saved passwords and cookie data.
- **Extension Siphoning:** Collects data from installed Chrome extensions.
- **Command Execution:** Provides an interactive shell to run arbitrary system commands.
- **File Management:** Supports uploading data to the C2 and downloading additional tools or scripts.
### Advanced Features
- **Nuitka Compilation:** Logic is hidden within compiled CPython extension modules (`.pyd` files), making static analysis and signature-based detection difficult.
- **ABE Bypassing:** Includes specific logic to bypass Google Chrome's "App-Bound Encryption" protections to decrypt sensitive data.
- **Modular Design:** Functionality is distributed across specific modules:
- `config.pyd`: Static constants and C2 config.
- `audiodriver.pyd`: The primary execution loop and orchestration.
- `auto.pyd`: The automation module for credential harvesting and browser attacks.
## Indicators of Compromise
- **File Names:**
- `settings.ps1` (PowerShell Downloader)
- `update.vbs` (Environment Setup/Python Launcher)
- `loader.py` (Malware Entry Point)
- `config.pyd`, `api.pyd`, `audiodriver.pyd`, `command.pyd`, `auto.pyd`, `util.pyd` (Malware Components)
- **Network Indicators:**
- `nvidiadriver[.]net` (Payload Host)
- `95.216.92[.]207:8080` (C2 Server)
- **Malicious npm Packages:**
- `aes-decode-runner-pro`
- `postcss-minify-selector`
- `postcss-minify-selector-parser`
## Associated Threat Actors
- **Attributed npm User:** `abdrizak` (Likely a persona/alias)
## Detection Methods
- **Behavioral Detection:** Monitor for `npm install` processes that spawn `powershell.exe` or `curl.exe` to fetch external ZIP files. Watch for `wscript.exe` launching Python runtimes from temporary directories.
- **Signature-based:** Standard AV may detect the initial `.ps1` or `.vbs` droppers; however, compiled `.pyd` modules require specialized scanning for Python-compiled bytecode or Nuitka patterns.
- **Registry Monitoring:** Monitor for unexpected persistence keys established by the VBS or Python loader.
## Mitigation Strategies
- **Dependency Auditing:** Utilize tools like `npm audit` and implement strict allow-listing for internal package mirrors.
- **Typosquatting Protection:** Educate developers to verify package names against official documentation (e.g., checking for `postcss-selector-parser` vs `postcss-minify-selector-parser`).
- **Endpoint Lockdown:** Restrict `wscript.exe` and `powershell.exe` from making unauthorized outbound connections to non-trusted domains.
- **Software Composition Analysis (SCA):** Integrate SCA tools into CI/CD pipelines to flag packages with low reputation or recent publication dates.
## Related Tools/Techniques
- **MYRA RAT:** A separate Linux-based rootkit discovered in the same campaign cluster.
- **@withgoogle/stitch-sdk:** A credential harvester targeting developer configuration files.
- **Procwire/Routecraft:** Similar Windows dropper campaigns utilizing npm as an entry point.