Supply chain attacks targeting open-source software repositories continue to be a significant threat, with recent discoveries revealing new campaigns delivering sophisticated malware. ### Malicious npm Packages Deploy Windows RAT Researchers have identified a series of malicious **npm** packages engineered to deliver a Windows-based Remote Access Trojan (RAT). The identified packages include: * `aes-decode-runner-pro` (145 downloads) * `postcss-minify-selector` (256 downloads) * `postcss-minify-selector-parser` (615 downloads) These packages, published by an **npm** user named "abdrizak," were still available for download at the time of reporting. According to **JFrog**'s analysis, `aes-decode-runner-pro` and `postcss-minify-selector-parser` masquerade as AES/custom-codec packages, depending on the legitimate `postcss-selector-parser` library, which boasts over 127 million weekly downloads. `Postcss-minify-selector` similarly presents itself as a PostCSS selector minifier, depending on `postcss-minify-selector-parser`. Regardless of the specific package downloaded, the attack chain consistently leads to the deployment of the same Windows malware. #### The Infection Chain The malicious packages contain a JavaScript dropper that writes and executes a PowerShell script (`settings.ps1`) to disk. This script then downloads a next-stage payload from an external server (`nvidiadriver[.]net`) using `curl.exe`. The downloaded payload is a ZIP archive containing a Visual Basic Script (`update.vbs`), a Python runtime, a Python loader (`loader.py`), and several Python extension modules (*.pyd) compiled with **Nuitka**. The Visual Basic script configures the Python environment and launches `loader.py`, initiating the RAT's core functionalities. #### RAT Capabilities This RAT is equipped with extensive capabilities, including: * Gathering host information * Siphoning credentials from **Google Chrome** * Collecting data from Chrome extensions * Executing shell commands * Downloading and uploading files to and from a command-and-control (C2) server (`95.216.92[.]207:8080`) These features are implemented through various Python native extension modules, such as `config.pyd` (C2 URL, command IDs), `api.pyd` (HTTP C2 communication), `audiodriver.pyd` (RAT orchestration), `command.pyd` (host profiling, VM checks, file transfer), `auto.pyd` (Chrome credential and extension theft, bypassing **ABE** protections), and `util.pyd` (archive helpers). **JFrog** emphasized, "This case shows how a small parser-like package can hide a multi-stage Windows payload while appearing related to legitimate build tooling with massive weekly usage. For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms, not just harmless naming noise." ### Other Concurrent Supply Chain Campaigns These findings coincide with several other active campaigns targeting the **npm** and **TypeScript** ecosystems: * **MYRA Linux RAT**: A malicious package named `apintergrationpost` delivers a full-featured Linux RAT called **MYRA**. It compiles a native C rootkit during installation, establishes multiple persistence mechanisms, masquerades as a `systemd` service, supports fileless execution, and provides interactive shell access with live screen streaming. * **Google Stitch AI Impersonation**: The `@withgoogle/stitch-sdk` package impersonates **Google**'s Stitch AI design tool. It's designed to steal developer credentials from eight sources (**Claude Code**, `git config`, `~/.git-credentials`, SSH public keys, **GitHub CLI**, `npm config`, `~/.npmrc`, and `~/.docker/config.json`) and exfiltrate them to an attacker-controlled domain (`stitch-production[.]org/api/v1`). * **Windows Dropper Campaign**: A cluster of five packages (`procwire`, `routecraft`, `endpointmap`, `bytecraft`, and `staticlayer`) delivers a dropper binary on Windows hosts from an external server during `npm install`. `Routecraft` depends on `procwire`, which in turn depends on `endpointmap` and `bytecraft`. `Staticlayer` serves files to clients with a specific User-Agent. ### North Korean Overlaps and Blockchain C2 Further analysis reveals a supply chain attack targeting the `Egonex-AI/Understand-Anything` knowledge graph tool. This campaign pushes a malicious payload that utilizes a two-stage C2 mechanism. The first stage beacons one of three hardcoded C2 servers and exfiltrates a campaign marker. The second stage resolves commands from a **Tron** blockchain address, with the latest transaction encoding a **BSC** transaction hash carrying the active payload. This activity shows overlaps with the North Korean supply chain operation dubbed **PolinRider**. **PolinRider** has been observed injecting obfuscated JavaScript into legitimate developers' configuration files across nearly 2,000 compromised **GitHub** repositories. It delivers a known malware downloader and stealer called **BeaverTail**, which then paves the way for the **InvisibleFerret** backdoor. **SafeDep** noted, "This attack combines three things that individually are familiar but together open a detection gap: an elaborate fake PR description with fabricated test evidence, a diff that hides its payload in horizontal whitespace, and a two-stage C2 where the second stage uses public blockchain infrastructure as a write-once, read-anywhere relay." ### Recommendations Users who have installed any of the aforementioned malicious packages are strongly advised to: 1. Remove them immediately. 2. Remove any artifacts created by the packages. 3. Rotate credentials from all impacted developer machines.