Malicious npm Packages Masquerading as PostCSS Tools Deliver Windows RAT
What Happened — Researchers identified three newly‑published npm packages—aes-decode-runner-pro, postcss‑minify‑selector, and postcss‑minify‑selector‑parser—that contain a Windows‑based remote access trojan. The packages were uploaded within the last month by a single npm user and have already been downloaded a few hundred times, exposing developers who install them as dependencies.
Why It Matters for Compliance & Audit Readiness
- This is a classic supply‑chain scenario that SOC 2 vendor‑management controls are designed to mitigate: you must demonstrate due‑diligence in vetting third‑party code and continuously monitoring for malicious changes.
- Continuous evidence collection (e.g., automated SBOM checks, third‑party risk dashboards) provides audit‑ready proof that you are actively managing the risk of open‑source components.
- Leveraging Verisq’s Vendor Risk capability gives you a single source of truth for npm‑registry monitoring, turning raw alerts into defensible audit artifacts.
Who Is Affected — SaaS developers, DevOps teams, and any organization that incorporates npm packages into web or desktop applications (primarily TECH_SAAS and DEVOPS sectors).
Recommended Actions
- Immediately audit your dependency tree for any of the listed packages and remove them.
- Enforce a policy that all third‑party libraries are scanned with a Software Bill of Materials (SBOM) and a trusted source verification tool before acceptance.
- Integrate continuous monitoring of npm registries into your vendor‑risk program to capture future malicious uploads as audit evidence. Source: https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
Technical Notes
- Attack vector: Third‑party dependency injection via npm registry.
- Payload: Windows Remote Access Trojan (RAT) capable of command‑and‑control, file exfiltration, and persistence.
- Downloads: 145 – 615 installs per package (as of reporting). No public CVE; the malicious code is custom. Source: https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html