Remote access Trojan in npm package
Remote access Trojan found in npm package with 40,000 weekly downloads
Attackers had added malicious code to the rand-user-agent package, which is used for automatic tests and web scraping, among other things.
Compromised variants of the "rand-user-agent" package have appeared on npm, which had a remote access Trojan (RAT) on board. Although the random user agent is marked as obsolete, it is still downloaded a good 40,000 times a week. Anyone who has used it in the past few weeks could have picked up malicious code. The package generates user agent strings, i.e. character strings that clients such as browsers send to a server. The publisher of the WebScrapingAPI package uses it for web scraping. However, it can also be used for other purposes such as automated tests or security checks.
Creeping updates with Trojans
The last official version 2.0.82 is seven months old, and the publisher WebScrapingAPI has marked the package as deprecated (obsolete). The GitHub repository linked on the npm page no longer exists.
However, aikido, a company specializing in supply chain security, has found later published versions of the package on npm. These introduced malicious code in the dist/index.js file, which was not immediately visible in the preview on npm and was also obfuscated several times.
The code sets up a covert channel to communicate with a command-and-control server (C2) and installs modules in a folder called .node_modules. The client then sends an ID and information about the client operating system used to the server, among other things.
Windows receives a supposed Python path entry as an extra
In addition, the initialization script creates a new folder under Windows and adds it to the start of the PATH environment variable. The folder name Python3127 is intended to suggest that it is an official folder for the programming language, allowing malicious code to appear as supposed Python tools and possibly be called by official Python distributions.
The compromised packages have since been removed from npm. They had the version numbers 2.083, 2.084 and 1.0.110. Anyone who has used the package in recent months should check whether there is malicious code on the computer or whether communication with C2 has taken place.