Remote access Trojan found in npm package with 40,000 weekly downloads
Attackers had added malicious code to the rand-user-agent package, which is used for automatic tests and web scraping, among other things.
(Image: Skorzewiak/Shutterstock.com)
Compromised variants of the "rand-user-agent" package have surfaced on npm, which had a remote access Trojan on board. Although the random user agent is marked as obsolete, it is still downloaded a good 40,000 times a week. Anyone who has used it in recent weeks could have picked up malicious code.
The package generates user agent strings, i.e. character strings that clients such as browsers send to a server. The publisher of the WebScrapingAPI package uses it for web scraping. However, it can also be used for other purposes such as automated tests or security checks.
Creeping updates with Trojans
The last official version 2.0.82 is seven months old, and the publisher WebScrapingAPI has marked the package as deprecated (obsolete). The GitHub repository linked on the npm page no longer exists.
However, aikido, a company specializing in supply chain security, has found later published versions of the package on npm. These introduced malicious code in the dist/index.js file, which was not immediately visible in the preview on npm and was also obfuscated several times.
Videos by heise
The code sets up a covert channel to communicate with a command-and-control server (C2) and installs modules in a folder called .node_modules. The client then sends an ID and information about the client operating system used to the server, among other things.
The remote access Trojan helpfully lists the following functions:
| Command | Purpose |
| --------------- | ------------------------------------------------------------- |
| cd | Change current working directory |
| ss_dir | Reset directory to script’s path |
| ss_fcd:<path> | Force change directory to <path> |
| ss_upf:f,d | Upload single file f to destination d |
| ss_upd:d,dest | Upload all files under directory d to destination dest |
| ss_stop | Sets a stop flag to interrupt current upload process |
| Any other input | Treated as a shell command, executed via child_process.exec() |Windows receives a supposed Python path entry as an extra
In addition, the initialization script creates a new folder under Windows and inserts it at the start of the environment variable PATH. The folder name Python3127 is intended to suggest that it is an official folder for the programming language, and thus malicious code appears as supposed Python tools and can possibly be called by official Python distributions:
const Y = path.join(
process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local'),
'Programs\\Python\\Python3127'
)
env.PATH = Y + ';' + process.env.PATHThe compromised packages have since been removed from npm again. They had the version numbers 2.083, 2.084 and 1.0.110. Anyone who has used the package in recent months should check whether there is malicious code on the computer or whether communication with C2 has taken place.
(rme)
