A threat actor published three malicious versions of the popular NPM package ‘rand-user-agent’ to deploy and activate a remote access trojan (RAT) on users’ systems.
A Node.js package that has been deprecated, rand-user-agent generates randomized user-agent strings based on occurrence. It was originally built as a functionality tool for Romanian software development firm WebScrapingAPI, but can be integrated into any node.js project for web scraping.
The package still has over 40,000 weekly downloads, but hasn’t been updated for over seven months, and a threat actor took advantage of this to push versions injected with malicious code.
While the project’s GitHub repository has remained unchanged, showing the latest clean version, 2.0.82, the threat actor published the malicious updates to the NPM registry, as versions 2.0.83, 1.0.110, and 2.0.84, explains Aikido, which first detected the suspicious code.
The malicious package versions deploy a backdoor named Python3127 PATH Hijack, which can manipulate directories and files, and can execute shell commands and additional payloads.
“One of the more subtle features of this RAT is its use of a Windows-specific PATH hijack, aimed at quietly executing malicious binaries under the guise of Python tooling,” Aikido notes.
Responding to a SecurityWeek inquiry, WebScrapingAPI revealed that the threat actor published the malicious package versions after obtaining an outdated automation token that was not protected by two-factor authentication.
Using the token, the attacker published versions that did not exist in the GitHub repository, increased the version numbers to make them appear legitimate, and refrained from deprecating code, “hoping the new releases would propagate before anyone noticed,” WebScrapingAPI said.
“There is no evidence of a breach in our source-code repository, build pipeline, or corporate network. The incident was limited to the NPM registry,” the company said.
WebScrapingAPI also confirmed that the malicious versions downloaded a backdoor and opened a communication channel to a remote command-and-control (C&C) server.
“The malicious code was never present in our GitHub repository; it was introduced only in the NPM artifacts, making this a classic supply-chain attack,” the company told SecurityWeek.
Users of rand-user-agent who installed any of the malicious versions (2.0.84, 1.0.110, and 2.0.83) are advised to revert to version 2.0.82 as soon as possible and to check their systems for the presence of malicious code and other signs of compromise.
“We apologize to every developer and organization impacted by this incident. Protecting the open-source ecosystem is a responsibility we take seriously, and we are committed to full transparency as we close every gap that allowed this attack to occur,” WebScrapingAPI said.
Related: Malicious NPM Packages Target Cryptocurrency, PayPal Users
Related: 9-Year-Old NPM Crypto Package Hijacked for Information Theft
Related: Snyk Says ‘Malicious’ NPM Packages Part of Research Project
Related: Hundreds Download Malicious NPM Package Capable of Delivering Rootkit
