Malicious Remote Access Trojan Discovered in Popular npm Package

Fri 9th May, 2025

Security experts have identified compromised versions of the npm package rand-user-agent, which has been downloaded approximately 40,000 times weekly. This package, primarily used for web scraping and automated testing, was found to contain a Remote Access Trojan (RAT) embedded within it.

The rand-user-agent package generates user-agent strings that web clients, such as browsers, send to servers. Although it has been marked as deprecated, the package continues to be utilized for various purposes, including automated testing and security assessments. However, those who have downloaded and used this package in recent weeks may have inadvertently exposed their systems to malicious code.

According to aikido, a company specializing in supply chain security, later versions of the package included harmful code that was not immediately visible in the npm preview. This code was cleverly obfuscated, using various techniques to conceal its true purpose. It establishes a covert channel to communicate with a Command and Control (C2) server and installs modules within a directory named .node_modules. The compromised client then transmits an ID and details regarding the operating system to the server.

The identified RAT boasts several concerning capabilities, including:

  • cd: Change the current working directory
  • ss_dir: Reset the directory to the script's path
  • ss_fcd:: Force change the directory to the specified path
  • ss_upf:f,d: Upload a single file f to destination d
  • ss_upd:d,dest: Upload all files from directory d to destination dest
  • ss_stop: Set a stop flag to halt the current upload process
  • Any other input: Treated as a shell command executed via child_process.exec()

Moreover, the initialization script under Windows creates a new folder and adds it to the environment variable PATH. This folder, named Python3127, is intended to mislead users into thinking it is an official directory for the Python programming language. This tactic allows the malicious code to masquerade as legitimate Python tools, potentially leading to further exploitation through official Python distributions.

The compromised versions of the package, specifically versions 2.083, 2.084, and 1.0.110, have since been removed from npm. Users who have interacted with these versions are advised to conduct thorough checks on their systems for any traces of harmful code or communication with the C2 server. The malicious code utilizes the following endpoints and protocols:

Socket Connection http://85.239.62[.]36:3306 socket.io-client
File Upload Target http://85.239.62[.]36:27017/u/f HTTP POST (multipart/form)

These developments underscore the critical importance of vigilant security practices in software development and the use of third-party packages. Developers are encouraged to regularly audit their dependencies and remain informed about potential vulnerabilities to mitigate risks.


More Quick Read Articles »