Full Report
An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system. [...]
Analysis Summary
# Incident Report: Supply Chain Attack Targeting npm Package 'rand-user-agent'
## Executive Summary
Attackers successfully injected malicious code into the popular npm package `rand-user-agent`, which has approximately 45,000 weekly downloads. The malicious versions established a Remote Access Trojan (RAT) utilizing socket communication to an external C2 server, allowing attackers to execute arbitrary commands and exfiltrate system information. The threat was mitigated by removing the malicious versions from the npm repository, but organizations using the compromised versions require immediate manual remediation.
## Incident Details
- **Discovery Date:** Not explicitly stated, but inferred around the time of public disclosure/removal.
- **Incident Date:** Attack deployment occurred across versions 2.0.83, 2.0.84, and 1.0.110, published after the last legitimate version (2.0.82) released 7 months prior to discovery.
- **Affected Organization:** The maintainers/developers of the `rand-user-agent` npm package. Upstream consumers are also compromised.
- **Sector:** Software Development / Supply Chain.
- **Geography:** Global (due to the nature of public npm packages).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, corresponding to the release of versions 2.0.83, 2.0.84, and 1.0.110 (occurring after version 2.0.82, released 7 months prior).
- **Vector:** Supply Chain compromise via malicious injection into the trusted npm package 'rand-user-agent'.
- **Details:** Malicious code was hidden in the `index.js` file, only visible by scrolling horizontally in the npm site source view, indicating an attempt at stealthy code hiding. These package versions lacked corresponding GitHub releases, suggesting the breach was localized to the publishing pipeline.
### Lateral Movement
- The investigation detailed that after execution, the RAT extended the `module.paths` variable to load 'axios' and 'socket.io-client' from a hidden directory (`~/.node_modules`) created under the user's home folder, suggesting privilege to write configuration files in the user environment.
### Data Exfiltration/Impact
- The RAT establishes a persistent socket connection to C2 at `http://85.239.62[.]36:3306`.
- Initial communication sends machine ID information, including hostname, username, OS type, and a generated UUID.
- Subsequent activity involves listening for commands to execute shell commands, upload files, or change directories.
### Detection & Response
- **Detection:** Implicitly detected by security researchers analyzing supply chain threats.
- **Response actions taken:** Malicious versions (2.0.83, 2.0.84, and 1.0.110) were subsequently removed from the npm package repository.
## Attack Methodology
- **Initial Access:** Supply Chain Injection (via compromised package publishing).
- **Persistence:** RAT establishes a persistent socket connection to the C2 server and modifies `module.paths` to load dependencies from a hidden directory (`~/.node_modules`).
- **Privilege Escalation:** Not explicitly detailed, but writing to the user's home directory is implied.
- **Defense Evasion:** Code was obfuscated and hidden outside the standard horizontal scroll view of the source code inspection tools on the npm site.
- **Credential Access:** Not explicitly detailed, but the RAT functionality allows for potential credential theft via shell command execution.
- **Discovery:** The RAT is capable of executing arbitrary shell commands (`child_process.exec()`) which could be used for system reconnaissance.
- **Lateral Movement:** Not explicitly detailed beyond initial host compromise, but the RAT commands suggest file movement capability.
- **Collection:** Ability to upload single files (`ss_upf:f,d`) or entire directories (`ss_upd:d,dest`).
- **Exfiltration:** Exfiltration occurs via the persistent socket connection to the attacker-controlled C2.
- **Impact:** Remote Code Execution capability and data theft via RAT persistence.
## Impact Assessment
- **Financial:** Not estimated in the provided text, but potential costs include incident response, system rebuilding, and potential regulatory fines if PII/sensitive data was exfiltrated.
- **Data Breach:** Machine identifying information (hostname, username, OS type, UUID) was transmitted. Full file system access suggests potential access to any data within the user context.
- **Operational:** Any development environment using the compromised package versions would have a functional RAT installed, leading to severe operational risk.
- **Reputational:** Damage to the trust placed in third-party open-source packages and the 'rand-user-agent' project maintainers.
## Indicators of Compromise
- **Network indicators (defanged):** C2 connection attempt to `http://85.239.62[.]36:3306`.
- **File indicators:** Creation of the hidden directory `~/.node_modules`. Loading of 'axios' and 'socket.io-client' from this custom path (implying persistence mechanism).
- **Behavioral indicators:** Modification of the environment variable `module.paths`. Execution of arbitrary shell commands via RAT.
## Response Actions
- **Containment measures:** Removal of malicious versions (2.0.83, 2.0.84, 1.0.110) from the npm package repository.
- **Eradication steps:** Affected users must manually perform a full system scan, as **downgrading to a legitimate version does not remove the RAT**.
- **Recovery actions:** Reverting to the last known legitimate version (2.0.82) or migrating to a trusted, monitored fork of the 'rand-user-agent' tool.
## Lessons Learned
- Obfuscation techniques, even blatant ones (like hiding code via horizontal scroll trickery), can successfully evade casual inspection during code reviews or tooling scans if not specifically targeted.
- Supply chain attacks remain a critical threat vector, especially for widely used utility packages like those on npm.
- Automated dependency auditing and security scanning must be continuous, regardless of the time elapsed since the last legitimate release.
## Recommendations
- Immediately scan all environments that consumed `rand-user-agent` versions 2.0.83, 2.0.84, or 1.0.110.
- Implement strict dependency locking (hash verification) to prevent silent updates to malicious versions.
- Organizations should prioritize using forked, well-monitored, and actively maintained versions of critical open-source dependencies when author trust is questionable or activity ceases.
- Enhance logging and monitoring focused on process execution originating from JavaScript runtime environments (like Node.js) that attempt to establish network connections or modify system paths.