A widely-used npm package, rand-user-agent, has fallen victim to a supply chain attack, where cybercriminals injected obfuscated code designed to install a Remote Access Trojan (RAT) on users’ systems.
Originally developed to generate randomized user-agent strings—helpful in web scraping, automation, and cybersecurity research—the package was deprecated but remained in use, logging approximately 45,000 downloads per week.
Security experts at Aikido uncovered the compromise on May 5, 2025, when their malware detection tools flagged version 1.0.110 of rand-user-agent. A deeper investigation revealed hidden malicious code in the dist/index.js file. This code was deliberately obscured and only viewable with horizontal scrolling on the npm website.
Researchers confirmed that the last legitimate release was version 2.0.82, uploaded seven months ago. The malicious code appeared in unauthorized versions 2.0.83, 2.0.84, and 1.0.110, none of which corresponded with updates on the project’s GitHub repository—an indicator of foul play.
Once installed, the malicious versions create a hidden directory in the user’s home path (~/.node_modules) and modify the module loading path to prioritize this directory. They then load specifi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: