Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Postcss-minify-selector-parser Windows RAT delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The postcss-minify-selector-parser npm package delivered a multi-stage Windows RAT, creating a supply-chain path onto developer machines and exposing browser logins and file data to theft. The package impersonated postcss-selector-parser, making the compromise plausible during dependency review. It was still present on the npm registry during analysis.

Related Happenings

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Open Happening

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Open Happening

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Open Happening

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Open Happening

Windows cldflt.sys privilege escalation (CVE-2020-17103)

Vulnerability
H score28 First: 18.05.2026 01:30 Last: 18.05.2026 01:30 Sources 1

About this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...

Open Happening

Timeline

  1. 23.06.2026 18:00 2 articles · 1h ago

    postcss-minify-selector-parser impersonates postcss-selector-parser and delivers a Windows RAT

    Initial Disclosure

    The malicious npm package postcss-minify-selector-parser impersonated postcss-selector-parser, used matching postcss, selector and parser keywords plus the genuine library as a dependency to look plausible in review, and delivered a multi-stage Windows RAT to developer machines. The infection chain decoded an encrypted blob with an AES-256-GCM decoder, wrote and ran a PowerShell dropper, downloaded a ZIP from nvidiadriver[.]net, unpacked a bundled Python runtime and Nuitka-compiled modules, and launched a RAT that set registry run-key persistence, contacted command infrastructure over encrypted HTTP, opened a remote shell, moved files, and targeted Google Chrome to steal saved logins and defeat app-bound encryption.

    Show sources
    Open in new tab