Supply chain attack hits npm package with 45,000 weekly downloads

An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system. The 'rand-user-agent' package is a tool that generates randomized user-agent strings, which is helpful in web scraping, automated testing, and security research. Although the package has been deprecated, it remains fairly popular, averaging 45,000 downloads weekly. However, according to researchers at Aikido, threat actors took advantage of its semi-abandoned yet popular status to inject malicious code in unauthorized subsequent releases that are likely to have been downloaded by a significant number of downstream projects. Aikido detected the compromise on May 5, 2025, when its malware analysis system flagged a new version of rand-user-agent, number 1.0.110. Upon deeper examination, the researchers found obfuscated code hidden in the 'dist/index.js' file that was only visible if the user scrolled horizonta ... Read full article.