New Windows RAT spreads via npm, uses encrypted C2 and registry persistence

Key Takeaways

• A new, sophisticated Remote Access Trojan (RAT) is actively targeting Windows users through malicious packages published on the npm registry.
• The malware uses typosquatting tactics, impersonating popular CSS build tools to trick developers into installing it.
• Once installed, the RAT establishes encrypted command-and-control (C2) communications, achieves persistence via the Windows Registry, and incorporates advanced evasion techniques.
• A primary function of this RAT is its ability to steal credentials from Google Chrome, including app-bound encrypted passwords, and exfiltrate this sensitive data.
• Developers and security teams must immediately remove affected packages, block associated network indicators, and rotate all potentially compromised credentials.

A highly sophisticated malware operation has been uncovered, deploying a full-featured Remote Access Trojan (RAT) targeting Windows systems through the widely used npm package registry. This campaign employs cleverly designed, deceptive packages that mimic legitimate CSS build utilities, allowing the threat to infiltrate developer environments with potent and stealthy capabilities.

The attack vector begins with the installation of a typosquatted npm package, specifically named “postcss-minify-selector-parser.” This malicious offering deliberately imitates “postcss-selector-parser,” a genuine package with over 150 million weekly downloads, exploiting developers’ trust and familiarity. Upon installation, an obfuscated payload embedded within the package’s entry file initiates a multi-stage infection process. This sequence ultimately deploys a Windows RAT capable of executing arbitrary shell commands, exfiltrating credentials, and maintaining covert communication with its operators.

Security researchers at JFrog first identified this threat, publishing a detailed analysis on June 22, 2026. Their investigation also uncovered two additional related packages, “postcss-minify-selector” and “aes-decode-runner-pro,” all attributed to the same npm publisher. At the time of JFrog’s report, all three malicious packages remained publicly accessible on the npm registry.

The effectiveness of this campaign is largely due to its meticulous design, which allows it to blend seamlessly into typical development workflows. The fraudulent package employs identical keywords and even declares a dependency on the legitimate “postcss-selector-parser.” This strategic camouflage makes it particularly challenging to detect during routine dependency audits. Developers working on fast-paced projects, who might not thoroughly scrutinize transitive dependencies, are especially susceptible, highlighting the attackers’ deep understanding of trust dynamics within open-source ecosystems.

The full extent of the compromise becomes clear as the payload chain unfolds. A PowerShell script downloads a ZIP archive from a domain carefully crafted to appear legitimate. This archive is then extracted, and a VBS script is executed to launch the RAT. The final malicious implant operates as a Python application, compiled using Nuitka. This compilation significantly complicates forensic analysis, making it far more difficult to dissect compared to conventional script-based threats.

Windows RAT Uses Encrypted HTTP C2 and Registry Persistence

Once activated on a compromised Windows machine, the RAT establishes communication with its command-and-control (C2) server over HTTP. This C2 traffic is heavily encrypted using RC4/ARC4 with MD5 checksums, which significantly complicates network-level detection and analysis. The RAT first transmits a profile of the infected host to the C2 server, then enters a persistent loop, awaiting further instructions from the attacker.

To ensure persistence across system reboots, the malware creates a registry run key named “csshost” under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It also stores a unique victim identifier (UUID) and host configuration details in files located within the system’s TEMP directory. This mechanism guarantees that even if the attacker’s connection is interrupted, the RAT will automatically re-establish communication upon the next system startup.

The RAT is equipped with a broad range of capabilities, including remote shell execution, file upload and download functionalities, and randomized sleep commands designed to evade detection. Furthermore, it incorporates virtual machine (VM) detection mechanisms, employing WMI queries and MAC address prefix matching to prevent execution in sandbox analysis environments. This advanced evasion design suggests a highly organized threat actor with substantial technical expertise and operational experience.

Chrome Credential Theft and Exfiltration

Beyond its remote control capabilities, the RAT includes a specialized module dedicated to stealing saved login credentials from Google Chrome. This module directly accesses Chrome’s local profile files, including the “Login Data” SQLite database. It leverages Windows decryption APIs to unlock stored passwords and is specifically engineered to handle newer Chrome app-bound encryption, making even recently secured credentials vulnerable.

The auto.pyd module is also responsible for collecting Chrome extension data. It packages all gathered information into an in-memory archive before exfiltrating it. Internal references within the binary, such as “chrome_logins_dump.txt” and “gather.tar.gz,” indicate that the attacker designed this component for efficient, organized batch exfiltration of sensitive data. For developers who frequently store API keys, authentication tokens, or other critical credentials within their browser, this represents a severe and immediate security risk.

JFrog advises all users who have installed packages from this malicious cluster to immediately remove them. They also recommend a thorough inspection of full dependency trees for any transitive risks. Security teams should implement blocks for all identified network indicators associated with this campaign and conduct endpoint scans for related file paths and executables. Furthermore, all browser-stored credentials and development tokens on any potentially affected machines must be considered compromised and rotated without delay.

What You Should Do

• Immediately Uninstall Malicious Packages: Remove postcss-minify-selector-parser, postcss-minify-selector, and aes-decode-runner-pro from all development environments.
• Audit Dependencies: Conduct a comprehensive audit of all npm project dependencies, paying close attention to transitive dependencies, to identify and remove any other potentially compromised packages.
• Block Network Indicators: Configure firewalls and intrusion detection/prevention systems (IDS/IPS) to block communication with the identified C2 server IP address (95[.]216[.]92[.]207) and payload delivery domain (nvidiadriver[.]net).
• Scan Endpoints: Perform full system scans on all Windows machines that may have installed these packages. Look for the presence of files in the %TEMP% directory (e.g., winPatch.zip, update.vbs, .store, .host) and the malicious executable (chost.exe).
• Check Registry for Persistence: Inspect the Windows Registry for the persistence key HKCUSoftwareMicrosoftWindowsCurrentVersionRuncsshost and remove it if found.
• Rotate Credentials: Assume all browser-stored credentials, API keys, and development tokens on potentially affected machines are compromised. Immediately change passwords for all accounts, revoke and regenerate API keys, and update any sensitive tokens.
• Implement Software Supply Chain Security: Utilize tools and practices that vet open-source packages for known vulnerabilities and malicious activity before integration into development pipelines.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.