Cybersecurity researchers at Aikido have uncovered a severe security breach in the widely-used NPM package rand-user-agent, which averages over 45,000 weekly downloads. The compromise involved the injection of obfuscated malicious code that deploys a Remote Access Trojan (RAT) on affected systems, posing a significant threat to developers and organizations utilizing this package.
Compromise Details and Attack Vector Analysis
The security incident, discovered on May 5, 2025, targeted version 1.0.110 of the package, which is commonly used in web scraping and automated testing applications. Security analysis revealed that version 2.0.82 was the last legitimate release, with subsequent versions 2.0.83, 2.0.84, and 1.0.110 containing malicious payloads. The attack exploited the semi-abandoned state of the project, despite its continued widespread use in production environments.
Technical Analysis of the Malicious Payload
The sophisticated RAT implementation creates a hidden directory (~/.node_modules) and manipulates module.paths to facilitate the loading of malicious dependencies. Upon successful installation, the malware establishes persistent communication with a command-and-control server at http://85.239.62[.]36:3306, exfiltrating sensitive system information including hostname, user data, and unique device identifiers.
Attack Vector and Security Implications
WebScrapingAPI, the package maintainer, has confirmed that the compromise occurred through an exposed legacy automation token lacking two-factor authentication protection. While the attackers successfully published compromised versions to npm, the project’s GitHub repository remained unaffected, highlighting the importance of securing deployment credentials separately from source code management.
Mitigation and Security Recommendations
Organizations and developers who have installed versions 2.0.83, 2.0.84, or 1.0.110 must conduct comprehensive system security audits. It is crucial to understand that simply updating the package will not remove the already deployed trojan. Security teams should implement the following measures:
Immediate Actions Required
– Conduct full system scans using updated antivirus solutions
– Review system logs for suspicious network connections
– Implement network monitoring for the identified C2 server address
– Rotate all development and deployment credentials
– Enable two-factor authentication on all npm accounts
This security incident serves as a critical reminder of the importance of supply chain security in the npm ecosystem. Organizations must implement robust security practices, including regular dependency audits, mandatory two-factor authentication, and automated security scanning of third-party packages. WebScrapingAPI has committed to enhanced security measures and transparent incident reporting to prevent similar compromises in the future.
