PostCSS npm typosquats deliver Nuitka Python RAT (abdrizak)

JFrog Security Research disclosed (2026-06-22) three malicious npm packages published by the account abdrizak — postcss-minify-selector-parser, postcss-minify-selector and aes-decode-runner-pro — that typosquat the legitimate postcss-selector-parser (150M+ weekly downloads) (JFrog, 2026-06-22; The Hacker News, 2026-06-23). On import, each package's index.js decrypts an AES-256-GCM blob and runs a JavaScript dropper that writes and executes a PowerShell downloader (settings.ps1); PowerShell pulls a Windows payload from an attacker-controlled host, a VBScript bootstrapper (update.vbs) extracts an archive, and a Nuitka-compiled Python 3.10 RAT (chost.exe loading loader.py plus six .pyd extension modules) activates. The RAT performs RC4-encrypted HTTP POST C2, registry Run-key persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, VM detection via WMI and adapter-MAC heuristics, remote shell, file transfer, and Chrome credential and extension-data theft via a DPAPI / app-bound-encryption bypass.

Why it matters to us: This is the npm typosquat-to-RAT pattern aimed squarely at developer endpoints and CI/CD runners — the highest-trust hosts in a software supply chain. Mapped to T1195.001/T1195.002 (Supply Chain Compromise), T1059.001 (PowerShell), T1027 (obfuscation — AES + Nuitka), T1547.001 (Registry Run Key), T1555.003 (Credentials from Web Browsers). Detection concepts (no IOCs): alert on node/npm/npx parent processes spawning powershell.exe (Sysmon EID 1 with parent-image filter); wscript.exe/cscript.exe executing from %TEMP%; new HKCU\...\Run values written by a Node toolchain; and Python runtimes in %TEMP% making outbound HTTP POST. Remediation is not "remove the package" — any host that installed these versions should have all browser-stored and developer credentials rotated and be treated as compromised.