A malicious npm package, named 'postcss-minify-selector-parser', impersonated a widely used build tool, embedding a multi-stage Windows remote access trojan (RAT) in a supply chain attack. The attack was revealed by JFrog, which noted the package's deceptive resemblance to the popular 'postcss-selector-parser'. When imported, the package executed an encrypted payload that downloaded further malicious components from a disguised domain.
The RAT was capable of stealing browser logins, particularly from Google Chrome, and established persistence on the infected machines. JFrog urged users to remove the package and check for potential residual traces in their systems.