← All articles

Malicious npm packages mimic PostCSS tools to plant Windows remote-access trojan

JFrog found malicious npm packages that impersonate PostCSS build tools to drop a multi-stage Windows remote-access trojan on developer machines. One package, postcss-minify-selector-parser, is named to look like the widely used postcss-selector-parser library, which sees over 127 million weekly downloads, and even lists the real package as a dependency to seem plausible during a quick review. Once installed, it writes and runs a PowerShell script that pulls down the trojan. A second cluster of five packages delivers a dropper during npm install, with one server-side component that only serves the payload to victims matching a specific signature. Affected developers should remove the packages and rotate credentials.

Check
Check developer machines and build systems for the named malicious npm packages and any unexpected PowerShell activity or dropped executables that started during a recent npm install.
Affected
Developers who installed the lookalike PostCSS packages or the related five-package cluster; the payload is a Windows remote-access trojan that runs at install time on developer and build machines.
Fix
Remove the malicious packages and their artifacts, rotate credentials from affected machines, pin and verify dependencies, block install-time scripts in CI, and watch for typosquatted names close to popular libraries.