Researchers detected a malicious update to the popular npm package rand-user-agent, used for generating randomized user-agent strings. The attacker published multiple unauthorized versions (1.0.110, 2.0.83, 2.0.84) containing heavily obfuscated code designed to covertly install a Remote Access Trojan (RAT). This RAT establishes a persistent communication channel with a command-and-control server and exfiltrates data via HTTP POST requests.
The malware dynamically installs required dependencies (axios, socket.io-client) in a hidden .node_modules folder within the user’s home directory. It supports a range of remote commands — from changing directories and uploading files to executing arbitrary shell commands. On Windows, it leverages a PATH hijack by prepending a fake Python directory to the PATH environment variable, enabling silent execution of attacker-controlled binaries.