Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: rat (5 articles)Clear

Malicious npm packages mimic PostCSS tools to plant Windows remote-access trojan

JFrog found malicious npm packages that impersonate PostCSS build tools to drop a multi-stage Windows remote-access trojan on developer machines. One package, postcss-minify-selector-parser, is named to look like the widely used postcss-selector-parser library, which sees over 127 million weekly downloads, and even lists the real package as a dependency to seem plausible during a quick review. Once installed, it writes and runs a PowerShell script that pulls down the trojan. A second cluster of five packages delivers a dropper during npm install, with one server-side component that only serves the payload to victims matching a specific signature. Affected developers should remove the packages and rotate credentials.

Check
Check developer machines and build systems for the named malicious npm packages and any unexpected PowerShell activity or dropped executables that started during a recent npm install.
Affected
Developers who installed the lookalike PostCSS packages or the related five-package cluster; the payload is a Windows remote-access trojan that runs at install time on developer and build machines.
Fix
Remove the malicious packages and their artifacts, rotate credentials from affected machines, pin and verify dependencies, block install-time scripts in CI, and watch for typosquatted names close to popular libraries.

North Korea's ScarCruft uses fake Microsoft alerts to plant NarwhalRAT spyware

South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.

Check
Train staff to treat unexpected Microsoft account-security or OTP-alert emails with caution, verify the real sender domain, and never open attached archives or shortcut files from such messages.
Affected
Targets of North Korean espionage, with this campaign focused on South Korean users; victims are lured by fake Microsoft account-security emails carrying a ZIP with a malicious shortcut file.
Fix
Block or quarantine inbound archives containing shortcut files, enforce phishing-resistant MFA so OTP-themed lures lose value, and alert on scheduled tasks that launch scripts fetching payloads into memory.

CPUID website hijacked to serve RAT malware through official CPU-Z and HWMonitor downloads

Attackers compromised a backend API on CPUID's website and replaced the official download links for CPU-Z and HWMonitor with trojanized versions containing the STX RAT. The attack lasted approximately six hours between April 9-10, timed to when the lead developer was on holiday. The malicious packages used DLL sideloading - legitimate CPUID executables (still properly signed) were bundled alongside a malicious CRYPTBASE.dll that masquerades as a standard Windows library. When users launched HWMonitor or CPU-Z, the malicious DLL loaded and deployed the RAT entirely in memory, with four independent persistence paths. The primary goal was browser credential theft, specifically targeting Chrome's IElevation COM interface to dump and decrypt saved passwords. The same threat group previously compromised FileZilla downloads in early March 2026. CPUID's signed original files were not tampered with - this was an infrastructure attack redirecting download links to attacker-controlled Cloudflare R2 storage.

Check
Check if anyone in your organization downloaded CPU-Z or HWMonitor from cpuid.com between April 9-10. These are popular IT diagnostic tools that sysadmins and technicians frequently download.
Affected
Anyone who downloaded CPU-Z 2.19, HWMonitor 1.63, or other CPUID utilities from cpuid.com during the approximately six-hour compromise window (April 9-10, 2026). If the installer showed Russian-language prompts or was named HWiNFO_Monitor_Setup.exe instead of the expected CPUID filename, the system is compromised.
Fix
If you downloaded during the compromise window: consider the host fully compromised and re-image the machine. The malware has 4 independent persistence paths and may have delivered additional C2 payloads. At minimum: rotate all browser-saved passwords immediately (Chrome passwords are the primary theft target), scan for the CRYPTBASE.dll sideloading indicator, and block supp0v3[.]com at the network level. For ongoing protection: verify file hashes against known-good CPUID releases before running.

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check
Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected
Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix
Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.

Axios npm package compromised - cross-platform RAT deployed via hijacked maintainer account

Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.

Check
Check if any project or CI/CD pipeline installed Axios in the last 48 hours.
Affected
axios 1.14.1 and 0.30.4 on npm. Also @shadanai/openclaw and @qqbrowser/openclaw-qbot which bundle the same payload.
Fix
Downgrade to axios 1.14.0 or 0.30.3. Remove plain-crypto-js from node_modules. Rotate all credentials on affected systems. Block sfrclak[.]com and 142.11.206.73 on port 8000.