CyberSecurity news
FlagThis - #socket
|
TIGR Threat@Security Risk Advisors
//
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.
The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems. Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities.
Share:
References :
Classification:
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem, revealing three malicious Go modules designed to wipe Linux systems. These modules, named github.com/truthfulpharm/prototransform, github.com/blankloggia/go-mcp, and github.com/steelpoor/tlsproxy, contain obfuscated code that fetches next-stage payloads capable of irrevocably overwriting a Linux system's primary disk, rendering it unbootable. The attack, discovered in April 2025, highlights the dangers of direct dependency imports from public repositories and the effectiveness of code obfuscation in evading detection.
The malicious modules are designed to specifically target Linux environments. Upon execution, they retrieve a destructive shell script from a remote server using wget. This script, known as "done.sh," employs the Unix utility 'dd' to overwrite the entire primary disk ("/dev/sda") with zeroes. This process effectively eliminates the file system, operating system, and all user data, leaving affected systems crippled and data unrecoverable. According to Socket researcher Kush Pandya, this destructive method ensures no data recovery tool or forensic process can restore the data, emphasizing the extreme danger posed by modern supply-chain attacks. This incident underscores the escalating risks present in open-source supply chains and the potential for seemingly trusted code to become devastating threats. The impact of such an attack includes complete data loss, prolonged operational downtime, and severe financial and reputational damage for affected organizations. Security experts recommend thorough dependency audits, the implementation of automated code scanning tools, and continuous monitoring solutions to detect obfuscated or suspicious behaviors in third-party packages as crucial mitigation steps.
Share:
References :
Classification:
|