A classy provide chain assault concentrating on the favored npm package deal ‘rand-user-agent’ was found on Could 5, 2025.
The compromise impacts a respectable JavaScript library used to generate randomized user-agent strings for net scraping operations, inserting malicious code that establishes distant entry capabilities on contaminated methods.
Safety researchers detected suspicious code in model 1.0.110 of the package deal, which was printed with out authorization from the unique maintainers at WebScrapingAPI.
The assault is especially regarding provided that ‘rand-user-agent’ averages roughly 45,000 weekly downloads, creating a large potential assault floor throughout improvement environments.
The package deal remained uncompromised for years till this latest incident, with the final respectable model (2.0.82) printed seven months in the past in keeping with the official GitHub repository.
Three malicious variations have since appeared on the npm registry: 2.0.83, 2.0.84, and 1.0.110.
Aikido Push researchers recognized the malware by way of their automated evaluation pipeline, noting how attackers hid their code by hiding it past the traditional horizontal scroll view within the package deal’s distribution recordsdata.
Upon evaluation, the malicious payload was recognized as a complicated Distant Entry Trojan (RAT) dubbed “RATatouille” on account of its functionality to cover amongst respectable code whereas establishing persistence.
The embedded malware constructs covert communication channels with command-and-control infrastructure at 85.239.62[.]36, utilizing each port 3306 for socket connections and port 27017 for file exfiltration.
Upon execution, the RAT experiences system data together with hostname, username, working system kind, and course of ID to its operators.
Safety evaluation reveals the malware variations try to evade detection by using a number of layers of obfuscation and establishing a hidden node_modules listing within the person’s house folder to retailer extra malicious elements.
Technical Evaluation of An infection Mechanism
The RAT employs a complicated set up method, dynamically importing dependencies like ‘socket.io-client’ and ‘axios’ in the event that they aren’t current.
It modifies module paths to make sure these dependencies load from its customized node_modules listing relatively than the challenge’s respectable one.
This strategy permits the malware to function independently of the challenge’s dependency construction.
One notably regarding functionality is the Home windows-specific PATH hijack concentrating on Python installations.
The malware prepends a non-standard Python listing to the system PATH:-
const Y = path. Be part of(
course of.env.LOCALAPPDATA || path.be part of(os.homedir(), ‘AppData’, ‘Native’),
‘PackagesPythonPython3127’
)
env.PATH = Y + ‘;’ + course of.env.PATH
This PATH manipulation permits attackers to execute malicious binaries every time a Python-related command is triggered, successfully hijacking respectable Python operations.
Suspicious code (Supply – Aikido)
The malware hides its code within the distribution file by inserting it past the seen space of code editors.
Organizations utilizing any model of rand-user-agent printed after October 2024 ought to instantly examine for indicators of compromise, notably unauthorized community connections to the recognized C2 infrastructure and surprising modifications to Python setting paths.
Are you from the SOC and DFIR Groups? – Analyse Actual time Malware Incidents with ANY.RUN -> Begin Now for Free.
