CyberSecurityBoard
Sponsor Register Login

New Supply Chain Attack Targets Legitimate npm Package with 45,000 Weekly Downloads

Upon analysis, the malicious payload was identified as a sophisticated Remote Access Trojan (RAT) dubbed “RATatouille” due to its capability to hide among legitimate code while establishing persistence. Security analysis reveals the malware versions attempt to evade detection by employing multiple layers of obfuscation and establishing a hidden node_modules directory in the user’s home folder to store additional malicious components. Aikido Push researchers identified the malware through their automated analysis pipeline, noting how attackers concealed their code by hiding it beyond the normal horizontal scroll view in the package’s distribution files. The compromise affects a legitimate JavaScript library used to generate randomized user-agent strings for web scraping operations, inserting malicious code that establishes remote access capabilities on infected systems. Organizations using any version of rand-user-agent published after October 2024 should immediately check for indicators of compromise, particularly unauthorized network connections to the identified C2 infrastructure and unexpected modifications to Python environment paths. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Security researchers detected suspicious code in version 1.0.110 of the package, which was published without authorization from the original maintainers at WebScrapingAPI. This PATH manipulation allows attackers to execute malicious binaries whenever a Python-related command is triggered, effectively hijacking legitimate Python operations. The package remained uncompromised for years until this recent incident, with the last legitimate version (2.0.82) published seven months ago according to the official GitHub repository. The embedded malware constructs covert communication channels with command-and-control infrastructure at 85.239.62[.]36, using both port 3306 for socket connections and port 27017 for file exfiltration. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A sophisticated supply chain attack targeting the popular npm package ‘rand-user-agent’ was discovered on May 5, 2025. The attack is particularly concerning given that ‘rand-user-agent’ averages approximately 45,000 weekly downloads, creating a wide potential attack surface across development environments. The malware hides its code in the distribution file by placing it beyond the visible area of code editors. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 09 May 2025 15:05:13 +0000


Cyber News related to New Supply Chain Attack Targets Legitimate npm Package with 45,000 Weekly Downloads

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com
New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com
New Supply Chain Attack Targets Legitimate npm Package with 45,000 Weekly Downloads - Upon analysis, the malicious payload was identified as a sophisticated Remote Access Trojan (RAT) dubbed “RATatouille” due to its capability to hide among legitimate code while establishing persistence. Security analysis reveals the ...
5 months ago Cybersecuritynews.com
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
NPM Supply Chain Attack via ctrl-tinycolor Package Exposes Thousands of Projects - A recent supply chain attack targeting the npm ecosystem has been uncovered, involving the malicious ctrl-tinycolor package. This incident highlights the growing threat of supply chain compromises in open-source software repositories. The attacker ...
3 weeks ago Cybersecuritynews.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
6 months ago Cybersecuritynews.com Lazarus Group
npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
2 months ago Bleepingcomputer.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
6 months ago Cybersecuritynews.com
Supply Chain Worm Infects Hundreds of NPM Packages - A recent supply chain attack has compromised hundreds of NPM packages, posing significant risks to the JavaScript development community. This widespread infection involves malicious actors injecting harmful code into popular open-source libraries, ...
3 weeks ago Infosecurity-magazine.com
CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
1 year ago Cisa.gov
Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
1 year ago Wordfence.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
6 months ago Bleepingcomputer.com
Hackers hijack NPM packages with 2 billion weekly downloads in supply chain attack - In a significant supply chain attack, hackers have compromised popular NPM packages that collectively boast over 2 billion weekly downloads. This incident highlights the growing threat of supply chain vulnerabilities in the software development ...
1 month ago Bleepingcomputer.com
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group
NPM package ‘is’ with 2.8M weekly downloads infected devs with malware - On July 19, 2025, the package's primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm. The popular NPM package 'is' has been ...
2 months ago Bleepingcomputer.com Snatch
SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
1 year ago Helpnetsecurity.com
Threat Actors Weaponizing Open Source Packages to Deliver Malware in Supply Chain Attack - In one campaign linked to North Korean threat actors, Socket.dev researchers discovered a package delivering a loader called “BeaverTail” that stole browser data and cryptocurrency wallet credentials before fetching a more advanced ...
4 months ago Cybersecuritynews.com
Supply Chain Cybersecurity - CISO Risk Management Guide - As regulatory scrutiny intensifies and cyber threats grow more sophisticated, CISOs must adopt a proactive, strategic approach to supply chain cybersecurity risk management, making it a boardroom priority and an integral part of organizational ...
5 months ago Cybersecuritynews.com
Shai-Halud Supply Chain Attack: A New Threat to Cybersecurity - The Shai-Halud supply chain attack represents a significant escalation in cyber threats targeting global supply networks. This sophisticated attack exploits vulnerabilities in software supply chains, allowing threat actors to infiltrate multiple ...
3 weeks ago Cybersecuritynews.com
Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
2 years ago Securityweek.com
New Survey Finds a Paradox of Confidence in Software Supply Chain Security - Get results of and analysis on ESG's new survey on supply chain security. New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap ...
1 year ago Securityboulevard.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
1 year ago Imperva.com
Threat Actors Weaponized 28+ New npm Packages to Infect Users With Protestware Scripts - The persistence mechanism stores an initiation timestamp in localStorage using the key ‘swal-initiation’, calculating elapsed time since first visit to determine payload activation, ensuring repeat users experience the full protestware ...
2 months ago Cybersecuritynews.com
Ripple XPRL Official NPM Package Hijacked To Inject Private Key Stealing Malware - “This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem,” warned Charlie Eriksen, a malware researcher at Aikido Security. The ...
5 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)