Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Malicious npm packages delivering Windows RAT

Malware Activity
First reported
Last updated
Happening score
H score 3
1 unique sources, 1 articles

Summary

Hide ▲

A set of malicious npm packages is delivering a Windows-based RAT through a multi-stage install chain, creating risk of credential theft, host profiling, and remote control on infected Windows systems. The packages—aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser—masquerade as legitimate build tooling while handing off execution to a downloader chain. The malware uses settings.ps1, update.vbs, curl.exe, and wscript.exe to fetch and launch the next stage. The resulting payload can steal Google Chrome credentials and extension data, run shell commands, transfer files, and talk to a C2 server at 95.216.92[.]207:8080.

Related Happenings

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

PureLogs infostealer purchase-order phishing delivery chain

Malware Activity
H score21 First: 27.05.2026 11:00 Last: 27.05.2026 11:00 Sources 1

About this happening: The **PureLogs** infostealer is being delivered through **purchase-order-themed phishing emails**, creating a **Windows** infection chain that steals **browser credentials**, **Di...

Open Happening

GlassWorm multi-stage data-theft malware evolution

Malware Activity
H score22 First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

Open Happening

CanisterWorm self-propagation across npm packages

Malware Activity
H score23 First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

Timeline

  1. 23.06.2026 11:54 2 articles · 3h ago

    Malicious npm packages deliver a Windows RAT through a staged install chain

    Initial Disclosure

    Cybersecurity researchers identified malicious npm packages published by the npm user "abdrizak" that masquerade as PostCSS-related tooling and deliver a Windows-based remote access trojan through a multi-stage install chain. The packages write `settings.ps1`, fetch a ZIP from `nvidiadriver[.]net`, launch `update.vbs` with `wscript.exe`, and ultimately enable host profiling, Google Chrome credential theft, Chrome extension data collection, shell execution, file transfer, and C2 communication to `95.216.92[.]207:8080`.

    Show sources
    Open in new tab