A cyberattack targeted the NPM ecosystem by publishing malicious versions of the ‘rand-user-agent’ package to deploy a remote access trojan, affecting users who installed these updates. The attack exploited an outdated automation token related to a deprecated package, leading to a supply-chain compromise affecting thousands of developers. (Affected: npm registry users and systems using compromised package versions)
Keypoints :
- The threat actor published malicious ‘rand-user-agent’ package updates on NPM, containing a backdoor named Python3127 PATH Hijack.
- The attack exploited an outdated automation token lacking two-factor authentication, enabling the malicious releases.
- Malicious versions deployed a backdoor capable of manipulating directories, executing shell commands, and communicating with a remote C&C server.
- The attacker increased version numbers and maintained access without altering the GitHub repository, indicating a supply-chain attack.
- Users are advised to revert to version 2.0.82 and scan systems for malicious code to prevent compromise.
- WebScrapingAPI confirmed no breach in its core systems, with the incident isolated to the NPM registry.
- This incident highlights risks in open-source supply chains and the importance of securing automation tokens and dependencies.
Read More: https://www.securityweek.com/popular-scraping-tools-npm-package-compromised-in-supply-chain-attack/