Hackread.com5h ago

Watch out: Fake npm packages are impersonating a popular PostCSS tool to drop a #Windows RAT and steal passwords stored in Chrome.

Listen or Read: https://hackread.com/fake-npm-packages-postcss-tool-steal-chrome-password/

#npm #PostCSS #Cybersecurity #Malware

Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords

JFrog warns of malicious npm packages that mimic PostCSS tooling, drop a Windows RAT, and target Chrome-stored passwords through a staged infection setup route.

Hackread - Cybersecurity News, Data Breaches, AI and More
N-gated Hacker News14h ago
🚀✨ Behold the pinnacle of technological regression: an ASCII-based #3D engine that flouts all modern graphics standards! No WebGL or canvas here—just a glorious throwback to #1980s text art, now painstakingly wrapped in #npm for reasons only a #hipster could comprehend. 🎨🔧
https://glyphcss.com #ASCII #retro #tech #textart #HackerNews #ngated
glyphcss: ASCII polygon-mesh renderer for the DOM

Render textured 3D meshes into a character grid. Single <pre> + sparse DOM hit layer — inspect every hotspot in DevTools, attach onClick to any 3D anchor, with zero polygon-per-node overhead.

The Threat Codex22h ago
From PostCSS Masquerading to Windows RAT
#PostCSS #npm
https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/
From PostCSS Masquerading to Windows RAT - JFrog Security Research

JFrog Security Research analyzed a suspicious npm package named postcss-minify-selector-parser. The package impersonates the popular PostCSS selector-parser ecosystem and hides a multi-stage payload that downloads a Windows Python/Nuitka RAT.

OTX Bot22h ago

Artifact scanner detects npm package 'node-fetch-utils' using external dependency resolution with remote tarball dependency from GitHub

A malicious npm package named 'node-fetch-utils' was discovered masquerading as a legitimate fetch helper utility. The package declares a remote tarball dependency from GitHub that executes upon installation. It runs an obfuscated postinstall script targeting Windows systems, which downloads a bundled Python runtime and drops it as Microsoft\EdgeBroker\pythonw.exe for persistence. The dropper then uses this disguised runtime to execute a fileless Python implant decrypted in memory and launched hidden via wscript. The dropper scripts self-delete while the disguised runtime remains active on the compromised system, establishing command and control communications.

Pulse ID: 6a3a780ee89db8a716522418
Pulse Link: https://otx.alienvault.com/pulse/6a3a780ee89db8a716522418
Pulse Author: AlienVault
Created: 2026-06-23 12:11:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Edge #GitHub #InfoSec #Microsoft #NPM #OTX #OpenThreatExchange #Python #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX Bot23h ago

From PostCSS Masquerading to Windows RAT

A sophisticated supply chain attack leverages typosquatting of the legitimate postcss-selector-parser npm package, which receives over 150 million weekly downloads. Three malicious packages published by user 'abdrizak' masquerade as PostCSS utilities while delivering a multi-stage Windows RAT. The infection chain begins with encoded JavaScript that drops PowerShell scripts, which then download a bundled Python runtime containing Nuitka-compiled modules. The final payload implements comprehensive RAT capabilities including HTTP C2 communication with RC4 encryption, registry persistence, VM detection, remote shell execution, file transfer, and Chrome credential theft using DPAPI and app-bound decryption. The attack demonstrates how build tooling dependencies can serve as delivery mechanisms for sophisticated Windows malware targeting developer environments.

Pulse ID: 6a3ac05e2137f66d3a690558
Pulse Link: https://otx.alienvault.com/pulse/6a3ac05e2137f66d3a690558
Pulse Author: AlienVault
Created: 2026-06-23 17:20:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chrome #CyberSecurity #Encryption #HTTP #InfoSec #Java #JavaScript #Malware #NPM #OTX #OpenThreatExchange #PowerShell #Python #RAT #SMS #SupplyChain #TypoSquatting #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
CyberNetsecIO23h ago

📰 North Korea's Sapphire Sleet Blamed for Mastra AI Framework Supply Chain Attack on NPM

🚨 North Korea's Sapphire Sleet behind Mastra AI supply chain attack! 141 malicious NPM packages published after maintainer account compromise. Developers, check for 'easy-day-js' dependency now! #SupplyChain #NPM #CyberAttack

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/?utm_source=mastodon&utm_med…

Strondex23h ago
Breach breakdown: Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT https://strondex.com/blog/malicious-npm-packages-pose-as-postcss-tools-to-deliver-windows-rat?utm_source=twitter&utm_medium=social&utm_campaign=syndication #SupplyChain #npm
Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Three typosquatting npm packages impersonating PostCSS utilities were caught delivering a Windows RAT with Chrome credential theft. Learn what happened and which controls stop it.

mastodon.raddemo.host1d ago

🚀 Deploy Self-Hosted #OpenClaw on #VPS (3 Minute Quick-Start Guide 🤖)

This article provides a quick, yet thorough step-by-step guide to deploy self-hosted OpenClaw on VPS servers. A lot of users have been deploying directly to Mac Minis, but we'd like to present another, radically different clawd deployment strategy. In this guide, we will deploy OpenClaw on Linux VPS-specifically, #Debian VPS.
What is ...
Continued 👉 https://blog.radwebhosting.com/deploy-self-hosted-openclaw-on-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.raddemo.host #selfhosted #npm #clawdbot #selfhosting

AA1d ago

"The package name is not random. The legitimate postcss-selector-parser package is widely used across the JavaScript build ecosystem, with npm reporting more than 150M weekly downloads."

JFrog, from yesterday: From PostCSS Masquerading to Windows RAT https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/

More:

Infosecurity-Magazine: Lookalike npm Package Hides a Multi-Stage Windows RAT https://www.infosecurity-magazine.com/news/lookalike-npm-package-postcss/ #infosec #JavaScript #npm #Windows

From PostCSS Masquerading to Windows RAT - JFrog Security Research

JFrog Security Research analyzed a suspicious npm package named postcss-minify-selector-parser. The package impersonates the popular PostCSS selector-parser ecosystem and hides a multi-stage payload that downloads a Windows Python/Nuitka RAT.

OTX Bot1d ago

From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet | Microsoft Security Blog

Pulse ID: 6a3a9d550daf17862bebff15
Pulse Link: https://otx.alienvault.com/pulse/6a3a9d550daf17862bebff15
Pulse Author: CyberHunter_NL
Created: 2026-06-23 14:51:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #NPM #OTX #OpenThreatExchange #SupplyChain #bot #CyberHunter_NL

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange