This campaign involves typosquatting of the legitimate postcss-selector-parser npm package, which has over 150 million weekly downloads. The attacker published three malicious packages under the user 'abdrizak' that impersonate PostCSS utilities. The infection chain starts with encoded JavaScript that drops PowerShell scripts, which then download a bundled Python runtime containing Nuitka-compiled modules. The final payload is a Windows RAT featuring HTTP command and control communication encrypted with RC4, registry persistence, virtual machine detection, remote shell execution, file transfer, and theft of Chrome credentials using DPAPI and app-bound decryption. The attack demonstrates how supply chain compromises in build tooling dependencies can deliver advanced Windows malware targeting developer systems.

The attack results in the installation of a fully featured Windows RAT capable of persistent remote access, data exfiltration, and credential theft. It compromises developer environments by leveraging widely used npm packages, potentially affecting a large number of users. The RAT's capabilities include encrypted C2 communication, evasion techniques such as VM detection, and theft of sensitive credentials from Chrome, increasing the risk of further compromise and lateral movement within affected networks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should verify the authenticity of npm packages before installation, avoid typosquatted packages, and monitor for suspicious activity related to PostCSS utilities. Employing supply chain security best practices such as package integrity verification and restricting installation of untrusted packages can help mitigate risk. Since no official fix or patch is indicated, vigilance and proactive package management are essential.