Rand-User-Agent’s Hidden Threat
Rand-user-agent, a popular npm package, fell victim to a supply chain attack in May 2025. This tool, used for generating random user-agent strings, averages 45,000 weekly downloads. However, attackers exploited its semi-abandoned status to inject malicious code. The code deploys a remote access trojan (RAT) on users’ systems.
How the Attack Unfolds
The compromise, detected on May 5, 2025, involved version 1.0.110 of rand-user-agent. Researchers found obfuscated code hidden in the package’s source file. For example, the code was only visible by scrolling horizontally on npm’s site. Malicious versions 2.0.83, 2.0.84, and 1.0.110 lack corresponding GitHub releases, unlike the safe version 2.0.82.
What the Malicious Code Does
The RAT creates a hidden folder in the user’s home directory. It then connects to a command-and-control server at a specific IP address. For instance, it sends system details like hostname and OS type. The RAT allows attackers to execute commands, upload files, or change directories remotely.
Why Supply Chain Attacks Matter
Supply chain attacks target trusted software to harm downstream users. In 2021, the SolarWinds attack compromised multiple organizations via a hacked update. Similarly, npm’s open ecosystem makes it a prime target. Therefore, developers must verify package integrity to avoid such risks.
Protecting Against Supply Chain Attacks
To prevent supply chain attacks, developers should verify package versions before installation. For example, check npm or GitHub for legitimate releases. Additionally, use tools like dependency scanners to detect malicious code. Regularly update software and scan systems for RATs. By staying proactive, users can minimize the risk of compromise.
Sleep well, we got you covered.
