Aikido Uncovers Malicious Code in Popular npm Package rand-user-agent

Aikido Security has uncovered a Remote Access Trojan (RAT) embedded in rand-user-agent, a JavaScript package downloaded ~45,000 times weekly from the npm registry.

“On 5 May, our automated malware analysis pipeline detected a suspicious package… It detected signs of a supply chain attack against this legitimate package,” Aikido Security warns.

The package in question generates randomized user-agent strings and is maintained by WebScrapingAPI. But starting with version 1.0.110, attackers had injected deeply obfuscated malicious code that turned the utility into a full-fledged surveillance tool.

Aikido’s report shows the attackers used a scrollbar trick to conceal the backdoor within dist/index.js, effectively hiding heavily obfuscated JavaScript at the bottom of the file. The code reveals a cleverly constructed malware loader that exfiltrates data and sets up covert socket communication.

Once activated, the malicious script sets up:

• A socket.io-client connection to a C2 server at http://85.239.62[.]36:3306
• A file exfiltration pipeline via HTTP POST to http://85.239.62[.]36:27017/u/f
• Dynamic installation of dependencies (axios, socket.io-client) in a stealth .node_modules directory in the user’s home

Upon connection, the RAT identifies the host with a unique ID, sends OS details, and awaits remote commands.

Supported commands include:

| Command         | Purpose                                                       |
| --------------- | ------------------------------------------------------------- |
| cd              | Change current working directory                              |
| ss_dir          | Reset directory to script’s path                              |
| ss_fcd:<path>   | Force change directory to <path>                              |
| ss_upf:f,d      | Upload single file f to destination d                         |
| ss_upd:d,dest   | Upload all files under directory d to destination dest        |
| ss_stop         | Sets a stop flag to interrupt current upload process          |
| Any other input | Treated as a shell command, executed via child_process.exec() |

One of the stealthiest features is a Windows-specific PATH hijack. The RAT appends the following to the beginning of the system’s PATH: %LOCALAPPDATA%\Programs\Python\Python3127.

“By injecting this directory at the start of PATH, any command relying on environment-resolved executables… may be silently hijacked,” the researcher explains.

This means even legitimate-looking Python commands could be routed through malware-controlled executables if the directory contains them.

Interestingly, GitHub shows the last legitimate release of the package as 2.0.82. However, the npm registry contains malicious updates:

• 1.0.110
• 2.0.83
• 2.0.84

Each of these versions contains the malicious payload. This mismatch points to a supply chain compromise, likely involving unauthorized publishing rights on npm.

If you’ve installed rand-user-agent, check for the compromised versions and monitor for communications to the following IOCs:

• C2 Server: http://85.239.62[.]36:3306
• File Upload Endpoint: http://85.239.62[.]36:27017/u/f

Look for unexpected dependencies or stealth .node_modules folders in home directories.

Related Posts:

• Malware on npm “Patches” Local Packages with Reverse Shell
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• ChatGPT Hits 400 Million Weekly Users