The “Rand-Angore Agent” package compromised variants have appeared on the NPM, with a remote access to the board. The random user agent is marked as old, but still comes for a good 40,000 weekly downloads. Anyone who has used it in the last few weeks can captivate the Malis code.
The package produces wires of user agents, ie string chains that send a browser such as clients to the server. The publisher of the webcrapingapi package uses it for web scrapping. However, it can also be used for other purposes such as automatic testing or safety checks.
Creep updates with Trojan
Last official version 2.0.82 Seven months old and publisher Webcrapingapi has marked the package as Padavanat (Old). The Github Repository connected on the NPM side is no longer present.
However, the supply chain is a company specialized in safety Aikido After the package versions found at NPMThese include the Dist/Index.js Malice Code File, which was not immediately seen in the preview of NPM and was veil several times.
The code sets a hidden channel for communication with command-end-control server (C2) and installs modules in a folder called .node_Modules. The client then sends IDs and information about the client operating system used on the server.
Data leak with parking garage operator APCOA | Heise onlineRemote Access-Trojan lists the following functions:
| Command | Purpose |
| --------------- | ------------------------------------------------------------- |
| cd | Change current working directory |
| ss_dir | Reset directory to script’s path |
| ss_fcd: | Force change directory to |
| ss_upf:f,d | Upload single file f to destination d |
| ss_upd:d,dest | Upload all files under directory d to destination dest |
| ss_stop | Sets a stop flag to interrupt current upload process |
| Any other input | Treated as a shell command, executed via child_process.exec() |
Windows receives an additional as an additional pythan path entry
In addition, the initialization script puts a new folder under Windows and adds at the beginning of the surroundings variables. PATH One. The purpose of folding name Python 3127 is to suggest that it is an official folder for programming language, and thus visible malicious code, as is in the form of python tool and is probably called by official python distribution:
const Y = path.join(
process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local'),
'Programs\\Python\\Python3127'
)
env.PATH = Y + ';' + process.env.PATH
The compromised packages have now been removed from the NPM again. He did version numbers 2.083, 2,084 and 1.0.110. Anyone who has used the package in the last few months should check whether the Malis code is on a computer or communicating with C2.
(RME)
5G rubbed with Avant -Guard
