今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

npm Supply Chain RAT: PostCSS Impersonation & Dependency Confusion

Satyam Rastogi 2026年06月23日 23:34 1 次阅读 来源:Dev.to

Originally published on satyamrastogi.com Three malicious npm packages masquerading as PostCSS tools delivered Windows RAT payloads. Analysis of supply chain attack mechanics, payload delivery chains, and detection gaps in dependency management. Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT Executive Summary This is a textbook supply chain attack leveraging npm's trust model. Three packages published in June 2026 - aes-decode-runner-pro , postcss-minify-selector , and postcss-minify-selector-parser - delivered Windows RAT payloads to developers. The attack demonstrates why automated dependency management without behavioral validation is a critical vulnerability. What makes this particularly effective: PostCSS is a legitimate, widely-used build tool. Developers hunting for PostCSS plugins via search or copy-pasting dependency names from tutorials become easy prey. The attacker didn't need zero-days, social engineering sophistication, or exploit kits. Just npm account registration and package uploads. This follows the exact pattern we've seen in credential theft campaigns prioritizing convenience over complexity . Low barrier to entry, high payoff. Attack Vector Analysis MITRE ATT&CK Framework Mapping This attack chains multiple techniques: T1195.001: Compromise Third-Party Software Supply Chain - Malicious package publication on npm registry T1566.002: Phishing - Spearphishing Link - Package discovery and recommendation (implicit trust) T1059.003: Command and Scripting Interpreter - Windows Command Shell - RAT payload execution T1105: Ingress Tool Transfer - Initial RAT download mechanism T1571: Non-Standard Port - C2 communication channels (typical) Kill Chain Breakdown Stage 1: Reconnaissance & Naming Attacker identifies PostCSS as high-value target (builds present in thousands of projects) Creates names that blend legitimacy with search results: postcss-minify-selector exploits incomplete package searches The aes-decode-runner-pro variant sug

本文内容来源于互联网,版权归原作者所有
查看原文