A malicious supply chain attack compromised the npm package ‘rand-user-agent’, injecting obfuscated code that activates a remote access trojan (RAT) on users’ systems. The malicious versions created hidden directories, established silent connections to attacker-controlled servers, and allowed remote command execution. (Affected: npm users of the ‘rand-user-agent’ package)
Keypoints :
- The ‘rand-user-agent’ npm package was targeted in a supply chain attack, leading to malicious code injections in versions after 2.0.82.
- Threat actors embedded obfuscated, hidden code in the package that activated a RAT, establishing covert communications with attacker-controlled servers.
- The malicious code created hidden directories and extended module paths to load dependencies such as ‘axios’ and ‘socket.io-client.’
- The RAT could execute commands like changing directories, uploading files, or running shell commands remotely.
- The compromised versions have been removed from npm, and users are advised to revert to the latest safe version and perform system scans if affected.
- Downgrading to legitimate versions does not automatically remove the RAT from infected systems.
- Consider using forked, well-maintained alternatives of the ‘rand-user-agent’ package for ongoing projects.