Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Supplychain. Show all posts
Trojan
Aikido Attack Backdoor Cyber Security DevSecOps JavaScript NPM npmregistry obfuscatedcode Opensource randuseragent RAT Security Supplychain Trojan

Compromised npm Package 'rand-user-agent' Used to Spread Remote Access Trojan

 

A widely-used npm package, rand-user-agent, has fallen victim to a supply chain attack, where cybercriminals injected obfuscated code designed to install a Remote Access Trojan (RAT) on users’ systems.

Originally developed to generate randomized user-agent strings—helpful in web scraping, automation, and cybersecurity research—the package was deprecated but remained in use, logging approximately 45,000 downloads per week.

Security experts at Aikido uncovered the compromise on May 5, 2025, when their malware detection tools flagged version 1.0.110 of rand-user-agent. A deeper investigation revealed hidden malicious code in the dist/index.js file. This code was deliberately obscured and only viewable with horizontal scrolling on the npm website.

Researchers confirmed that the last legitimate release was version 2.0.82, uploaded seven months ago. The malicious code appeared in unauthorized versions 2.0.83, 2.0.84, and 1.0.110, none of which corresponded with updates on the project's GitHub repository—an indicator of foul play.

Once installed, the malicious versions create a hidden directory in the user’s home path (~/.node_modules) and modify the module loading path to prioritize this directory. They then load specific dependencies such as axios and socket.io-client, and establish a persistent connection to the attacker’s command and control (C2) server at http://85.239.62[.]36:3306.

Through this connection, the attacker retrieves critical system data—such as hostname, OS type, username, and a generated UUID. Once activated, the RAT listens for the following commands:
  • cd <path>: Change directory
  • ss_dir: Reset directory to script path
  • ss_fcd:<path>: Force change to a new directory
  • ss_upf:f,d: Upload single file
  • ss_upd:d,dest: Upload all files in a directory
  • ss_stop: Stop ongoing upload
  • Any other input is executed via child_process.exec()

Currently, the malicious versions have been removed from the npm repository. Developers are urged to revert to the latest clean version. However, users who installed versions 2.0.83, 2.0.84, or 1.0.110 are advised to run a full malware scan, as downgrading the package does not eliminate the RAT.

For continued use, it’s recommended to switch to a forked and actively maintained alternative of rand-user-agent.

The original developer responded to BleepingComputer with the following statement:

“On 5 May 2025 (16:00 UTC) we were alerted that three unauthorized versions of rand-user-agent had been published to the npm registry (1.0.110, 2.0.83, 2.0.84). The malicious code was never present in our GitHub repository; it was introduced only in the npm artifacts, making this a classic supply-chain attack.

Our investigation (still ongoing) shows that the adversary obtained an outdated automation token from an employee and used it to publish releases to npm. That token had not been scoped with 2-factor authentication, allowing the attacker to: Publish versions that did not exist in GitHub, Increment the version numbers to appear legitimate, Deprecate nothing, hoping the new releases would propagate before anyone noticed.

There is no evidence of a breach in our source-code repository, build pipeline, or corporate network. The incident was limited to the npm registry.

We apologize to every developer and organization impacted by this incident. Protecting the open-source ecosystem is a responsibility we take seriously, and we are committed to full transparency as we close every gap that allowed this attack to occur.”
Read more »
Supplychain
Broker Support Comtel Cyber Security Cyber Vulnerabilities Cyberattacls CyberCrime Cyberhackers CyberThreat Supplychain

Critical Vulnerability Found in Cleo's File-Sharing Tools: Immediate Action Required

 


A critical security vulnerability has been discovered in Cleo's popular file-sharing tools, including Cleo Integration Cloud, Cleo Harmony, and Cleo VLTrader. This flaw puts businesses and users at significant risk of cyberattacks, prompting cybersecurity experts to urge immediate preventive measures.

The Vulnerability and Its Potential Impact

Security researchers have identified a critical flaw in Cleo's file-sharing platforms, which could allow remote attackers to access sensitive files and even manipulate data transfers. The vulnerability primarily affects enterprises using Cleo’s tools for B2B file transfers. This flaw makes it easier for attackers to intercept data during transmission or exploit weak authentication protocols to gain unauthorized access to the systems.

This issue is not just a theoretical risk—there have already been incidents where hackers have successfully exploited similar vulnerabilities in other systems. Given the widespread use of Cleo tools across industries such as healthcare, logistics, and finance, the potential damage is severe, with sensitive business data and personal information at risk.

Cleo's Response and Immediate Steps for Users

Cleo has acknowledged the issue and is working to release an updated patch that addresses the vulnerability. However, experts warn that until this patch is fully deployed, businesses should take immediate precautions. The following actions are recommended to reduce the risk:

  • Install the latest security updates from Cleo as soon as they are available.
  • Place all file-sharing tools behind a robust firewall to prevent unauthorized access.
  • Monitor network activity for unusual file transfers or signs of potential breaches.
  • Enforce strong authentication protocols, including multi-factor authentication wherever possible.

By following these best practices, organizations can minimize their exposure while awaiting a more comprehensive fix from Cleo.

The Broader Implications for File-Sharing Security

This incident highlights a growing trend in vulnerabilities affecting file-sharing and managed file transfer (MFT) tools. In 2023, a similar flaw was discovered in the MOVEit MFT solution, which was exploited by cybercriminals to access sensitive corporate data worldwide. As more organizations rely on file-sharing platforms to facilitate data exchange, the importance of securing these tools cannot be overstated.

Recommended Security Measures for File-Sharing Platforms

To protect against potential threats, companies using file-sharing tools should implement the following security measures:

  • Regularly apply security patches and updates provided by software vendors.
  • Ensure that all file-sharing systems are protected by firewalls and other protective layers.
  • Continuously monitor file transfer activities for any signs of unauthorized access or data manipulation.

As file-sharing tools are integral to the functioning of modern enterprises, prioritizing their security is essential for safeguarding sensitive data and ensuring operational continuity.

Read more »
Subscribe to: Posts (Atom)