Fake npm Packages Impersonating PostCSS Tool Deliver Windows RAT to Steal Chrome Passwords
What Happened — Malicious npm packages that masquerade as legitimate PostCSS tooling have been published to the public registry. When installed, they drop a Windows‑based remote access trojan that harvests credentials stored in Chrome. The attack chain is staged to first gain execution, then exfiltrate passwords.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a gap in third‑party software vetting – a core SOC 2 CC6.1 (Third‑Party Risk Management) control.
- Continuous monitoring of open‑source dependencies provides audit‑ready evidence that only approved packages are in use.
- Aligns with Verisq’s Vendor Risk capability, which automates risk assessments and evidences remediation for supply‑chain exposures.
Who Is Affected – SaaS developers, DevOps teams, and any organization that incorporates npm packages into production code, across tech, fintech, and digital media sectors.
Recommended Actions
- Inventory all npm dependencies and enforce a signed‑package allowlist.
- Integrate automated scanning of new packages against threat intel feeds.
- Update third‑party risk policies to include open‑source component vetting and retain evidence for SOC 2 audits.
- Conduct a rapid risk assessment of any projects that have already pulled the malicious packages.
Technical Notes – The malicious packages exploit the trust model of npm by publishing under names similar to the official PostCSS CLI. They execute a Windows RAT that reads Chrome’s encrypted password store and sends the data to a command‑and‑control server. No public CVE is associated; the vector is a supply‑chain compromise via third‑party dependency. Source: HackRead