A risk actor revealed three malicious variations of the favored NPM bundle ‘rand-user-agent’ to deploy and activate a distant entry trojan (RAT) on customers’ methods.
A Node.js bundle that has been deprecated, rand-user-agent generates randomized user-agent strings based mostly on prevalence. It was initially constructed as a performance instrument for Romanian software program growth agency WebScrapingAPI, however could be built-in into any node.js venture for internet scraping.
The bundle nonetheless has over 40,000 weekly downloads, however hasn’t been up to date for over seven months, and a risk actor took benefit of this to push variations injected with malicious code.
Whereas the venture’s GitHub repository has remained unchanged, exhibiting the newest clear model, 2.0.82, the risk actor revealed the malicious updates to the NPM registry, as variations 2.0.83, 1.0.110, and a pair of.0.84, explains Aikido, which first detected the suspicious code.
The malicious bundle variations deploy a backdoor named Python3127 PATH Hijack, which might manipulate directories and information, and may execute shell instructions and extra payloads.
“One of many extra delicate options of this RAT is its use of a Home windows-specific PATH hijack, geared toward quietly executing malicious binaries below the guise of Python tooling,” Aikido notes.
Responding to a SecurityWeek inquiry, WebScrapingAPI revealed that the risk actor revealed the malicious bundle variations after acquiring an outdated automation token that was not protected by two-factor authentication.
Utilizing the token, the attacker revealed variations that didn’t exist within the GitHub repository, elevated the model numbers to make them seem official, and shunned deprecating code, “hoping the brand new releases would propagate earlier than anybody observed,” WebScrapingAPI stated.Commercial. Scroll to proceed studying.
“There isn’t any proof of a breach in our source-code repository, construct pipeline, or company community. The incident was restricted to the NPM registry,” the corporate stated.
WebScrapingAPI additionally confirmed that the malicious variations downloaded a backdoor and opened a communication channel to a distant command-and-control (C&C) server.
“The malicious code was by no means current in our GitHub repository; it was launched solely within the NPM artifacts, making this a basic supply-chain assault,” the corporate advised SecurityWeek.
Customers of rand-user-agent who put in any of the malicious variations (2.0.84, 1.0.110, and a pair of.0.83) are suggested to revert to model 2.0.82 as quickly as potential and to verify their methods for the presence of malicious code and different indicators of compromise.
“We apologize to each developer and group impacted by this incident. Defending the open-source ecosystem is a duty we take severely, and we’re dedicated to full transparency as we shut each hole that allowed this assault to happen,” WebScrapingAPI stated.
Associated: Malicious NPM Packages Goal Cryptocurrency, PayPal Customers
Associated: 9-Yr-Previous NPM Crypto Bundle Hijacked for Info Theft
Associated: Snyk Says ‘Malicious’ NPM Packages A part of Analysis Venture
Associated: A whole bunch Obtain Malicious NPM Bundle Able to Delivering Rootkit
