News and Analysis

A newly discovered malware campaign is targeting Windows systems through a deceptive package on the npm registry.

Disguised as a legitimate CSS build tool, the malicious package quietly installs a full-featured Remote Access Trojan, or RAT, on developer machines.

The attack is subtle, well-crafted, and far more dangerous than it first appears.

The infection begins with a typosquatted npm package called postcss-minify-selector-parser, designed to look like the widely trusted postcss-selector-parser, which sees over 150 million weekly downloads.

When a developer installs the fake package, a hidden encoded blob inside the entry file kicks off a multi-stage attack chain.

The payload eventually drops a Windows RAT capable of stealing credentials, running shell commands, and communicating with a remote attacker.

Security researchers at JFrog identified the threat and published a detailed analysis on June 22, 2026, in a report shared with Cyber Security News (CSN).

The investigation also uncovered two related packages, postcss-minify-selector and aes-decode-runner-pro, all tied to the same npm publisher. At the time of the report, all three packages were still live and accessible on the registry.

What makes this campaign stand out is how carefully it blends in. The fake package uses the same keywords and even depends on the real postcss-selector-parser, making it easy to miss during a routine dependency review.

Developers in fast-moving projects who do not audit transitive dependencies are especially at risk, and the attacker clearly understood how trust operates in open-source ecosystems.

The real damage only becomes clear after the full payload chain executes. A PowerShell downloader fetches a ZIP archive from a lookalike domain, extracts it, and launches a VBS script to start the RAT.

The final implant runs as a bundled Python application compiled with Nuitka, making it much harder to inspect than a typical script-based threat.

Windows RAT Uses Encrypted HTTP C2 and Registry Persistence

Once the RAT is running on a victim machine, it establishes contact with a command-and-control, or C2, server over HTTP.

All traffic is encrypted using RC4/ARC4 wrapping with MD5 checksum material, making it difficult to detect on a network level. The RAT sends an initial host profile to the C2 and then enters a loop, waiting for commands from the attacker.

To survive reboots, the malware writes a registry persistence key using the entry name csshost under the Windows Run key. It also stores a persistent victim UUID and host configuration in files dropped in the TEMP directory.

This means even if the attacker loses contact, the RAT reconnects automatically the next time the machine starts.

The RAT supports a wide range of capabilities including remote shell execution, file upload and download, randomized sleep commands, and virtual machine detection.

End-to-end Infection Chain (Source – JFrog)

The VM checks use WMI queries and MAC address prefix matching to avoid triggering sandbox analysis environments. This level of evasion design points to a threat actor with deliberate technical planning and real operational experience.

Chrome Credential Theft and Exfiltration

Beyond remote control, the RAT includes a dedicated module for stealing saved login data from Google Chrome.

It accesses Chrome’s local profile files, including the Login Data SQLite database, and uses Windows decryption APIs to unlock stored passwords. It also handles newer Chrome app-bound encryption, meaning even recently protected credentials are not safe.

The auto.pyd module also collects Chrome extension data, packaging results into an in-memory archive before sending it out.

Output file references found in the binary include chrome_logins_dump.txt and gather.tar.gz, suggesting the attacker designed this for organized batch exfiltration.

For developers who store API keys, tokens, or credentials in their browsers, this is a serious and immediate threat.

JFrog recommends that anyone who installed packages from this cluster remove them right away and inspect full dependency trees for transitive risks.

Security teams should block the network indicators tied to this campaign and search endpoints for related file paths and executables. All browser-stored credentials and development tokens on affected machines should be treated as compromised and rotated without delay.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionIP Address95[.]216[.]92[.]207C2 server IP addressDomainnvidiadriver[.]netPayload delivery domainURLhxxp[:]//95[.]216[.]92[.]207:8080C2 communication endpointURLhxxp[:]//nvidiadriver[.]net/verv1432/winpatch-xd7d[.]winPayload download URLFile Path%TEMP%\winPatch.zipDownloaded malware archiveFile Path%TEMP%\winPatch\update.vbsVBS bootstrapper fileFile Path%TEMP%.storePersistent victim UUID storageFile Path%TEMP%.hostHost configuration storageRegistry KeyHKCU\Software\Microsoft\Windows\CurrentVersion\Run\csshostRAT persistence registry entryFile Namewin-driver-xd7d/chost.exeRenamed Python launcherFile Namewin-driver-xd7d/loader.pyPython loader scriptFile Namewin-driver-xd7d/api.cp310-win_amd64.pydHTTP C2 packet exchange moduleFile Namewin-driver-xd7d/audiodriver.cp310-win_amd64.pydMain RAT orchestration moduleFile Namewin-driver-xd7d/auto.cp310-win_amd64.pydChrome credential theft moduleFile Namewin-driver-xd7d/command.cp310-win_amd64.pydHost actions and shell execution moduleFile Namewin-driver-xd7d/config.cp310-win_amd64.pydRAT configuration moduleFile Namewin-driver-xd7d/util.cp310-win_amd64.pydArchive helper moduleSHA-256164e322d6fbc62e254d73583acd7f39444c884d3f5e6a5d27db143fc25bc88b3audiodriver.cp310-win_amd64.pydSHA-25650ffce607867d8fa8eaf6ef5cd25a3c0e7e4415e881b9e55c04a67bcddb74fdfapi.cp310-win_amd64.pydSHA-25617832aa629524ef6e8d8d6e9b6b902a8d324b559e3c36dbd0e221ab1690be871auto.cp310-win_amd64.pydSHA-256c8075bbff748096e1c6a1ea0aa67bb6762fdd7551427a12425b35b94c1f1ecf2command.cp310-win_amd64.pydSHA-256f6669bd504ce6b0e303be7ee47f2ebbc062989c88c41f0a3f436044a24869798config.cp310-win_amd64.pydSHA-256282b9bc318ad1234cbd1b86424b784299b8be31545802a7c6b751166b814b990util.cp310-win_amd64.pydnpm Packagepostcss-minify-selector-parser (XRAY-1002983)Primary malicious npm packagenpm Packagepostcss-minify-selector (XRAY-1003986)Related malicious npm packagenpm Packageaes-decode-runner-pro (XRAY-989675)Related AES decoder package

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Windows RAT Uses Encrypted HTTP C2 and Registry Persistence After npm Infection appeared first on Cyber Security News.