abdrizak npm packages deliver Windows Python RAT via PostCSS lookalikes
NPM supply-chain actors are embedding multi-stage Windows RATs inside parser-adjacent packages. The campaign overlaps with three concurrent credential and Linux rootkit operations, indicating coordinated testing of developer tooling vectors. Defenders must treat any low-download lookalike dependency as a potential staging point rather than isolated noise.
The packages aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser replicate naming of high-traffic PostCSS components while depending on the real postcss-selector-parser. Execution writes settings.ps1, pulls a ZIP containing update.vbs and loader.py plus .pyd extensions, then runs the RAT loop for host profiling, file ops, and credential extraction that bypasses Chrome app-bound encryption. JFrog telemetry captured the full chain but omitted infrastructure reuse patterns visible in the nvidiadriver.net domain and 95.216.92.207 IP.
JFrog: Two additional abdrizak packages will appear on npm within 14 days carrying the same Python extension set.
Sources (2)
- [1]JFrog Malicious npm Analysis(https://jfrog.com/blog/malicious-npm-postcss-rat)
- [2]SafeDep MYRA Campaign Report(https://safedep.io/research/myra-linux-rat)