BleepingComputer reports that malicious code injected into the deprecated yet widely downloaded npm package 'rand-user-agent' as part of a supply chain attack has facilitated the deployment of a remote access trojan on systems where it has been installed.
All rand-user-agent versions 2.0.83, 2.0.84, and also 1.0.110 which were published after the last legitimate version of the npm package and have since been removed were impacted by the code, which establishes a concealed directory and prolongs module.paths for dependency loading before creating a persistent socket connection with the command-and-control server, which then receives system information, according to Aikido researchers. Activation of the RAT could then facilitate the running of commands enabling current working directory modifications, file uploads, and shell command execution, among others. Users have been urged to revert to the last official version of the npm package but not before conducting total system scans to determine compromise.
All rand-user-agent versions 2.0.83, 2.0.84, and also 1.0.110 which were published after the last legitimate version of the npm package and have since been removed were impacted by the code, which establishes a concealed directory and prolongs module.paths for dependency loading before creating a persistent socket connection with the command-and-control server, which then receives system information, according to Aikido researchers. Activation of the RAT could then facilitate the running of commands enabling current working directory modifications, file uploads, and shell command execution, among others. Users have been urged to revert to the last official version of the npm package but not before conducting total system scans to determine compromise.
