Typosquatted npm Package Delivers Windows RAT with Encrypted C2 and Registry Persistence
By
Tushar Subhra Dutta
Summary
A malware campaign targets Windows systems via a typosquatted npm package called postcss-minify-selector-parser, disguised as the legitimate postcss-selector-parser. When developers install the fake package, it deploys a full-featured Remote Access Trojan (RAT) that uses encrypted HTTP command-and-control (C2) communication and registry persistence to maintain access to infected machines.
Source
bskyTyposquatted npm Package Delivers Windows RAT with Encrypted C2 and Registry Persistencecybersecuritynews.comKey quotes
· 3 pulledDisguised as a legitimate CSS build tool, the malicious package quietly installs a full-featured Remote Access Trojan, or RAT, on developer machines.
The attack is subtle, well-crafted, and far more dangerous than it first appears.
The infection begins with a typosquatted npm package called postcss-minify-selector-parser, designed to look like the widely trusted postcss-selector-parser, which sees over 150 million weekly downloads.
You might also wanna read
Major NPM Supply Chain Attack: @ctrl/tinycolor and 40+ Packages Compromised with Self-Propagating Malware
A sophisticated supply chain attack has compromised the popular @ctrl/tinycolor NPM package (with over 2 million weekly downloads) along wit
Security Alert: Malicious Nx Packages Published to npm Containing Credential-Stealing Code
Malicious versions of the Nx package and several supporting plugins were published to npm, containing code that scans file systems, collects
Supply Chain Attack Compromises @ctrl/tinycolor npm Package, Affects 40+ Packages
A malicious update to the popular npm package @ctrl/tinycolor (2.2M weekly downloads) was detected as part of a broader supply chain attack
Post-mortem Analysis of @ctrl/tinycolor npm Supply Chain Attack via GitHub Actions
A detailed post-mortem analysis of a supply chain attack on the @ctrl/tinycolor npm package. The attack occurred when a malicious GitHub Act
Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code
The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re
aikido.dev·3mo ago
Comments
Sign in to join the conversation.
No comments yet. Be the first.