JFrog found malicious npm packages that impersonate PostCSS build tools to drop a multi-stage Windows remote-access trojan on developer machines. One package, postcss-minify-selector-parser, is named to look like the widely used postcss-selector-parser library, which sees over 127 million weekly downloads, and even lists the real package as a dependency to seem plausible during a quick review. Once installed, it writes and runs a PowerShell script that pulls down the trojan. A second cluster of five packages delivers a dropper during npm install, with one server-side component that only serves the payload to victims matching a specific signature. Affected developers should remove the packages and rotate credentials.
South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.
Attackers compromised a backend API on CPUID's website and replaced the official download links for CPU-Z and HWMonitor with trojanized versions containing the STX RAT. The attack lasted approximately six hours between April 9-10, timed to when the lead developer was on holiday. The malicious packages used DLL sideloading - legitimate CPUID executables (still properly signed) were bundled alongside a malicious CRYPTBASE.dll that masquerades as a standard Windows library. When users launched HWMonitor or CPU-Z, the malicious DLL loaded and deployed the RAT entirely in memory, with four independent persistence paths. The primary goal was browser credential theft, specifically targeting Chrome's IElevation COM interface to dump and decrypt saved passwords. The same threat group previously compromised FileZilla downloads in early March 2026. CPUID's signed original files were not tampered with - this was an infrastructure attack redirecting download links to attacker-controlled Cloudflare R2 storage.
Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.
Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.