Skip to content

17 NPM packages found infected with malware

  • by
  • 3 min read

Seventeen malicious packages were found in the open-source NPM repository. Most of these packages either steal credentials or Discord tokens, with some going as far as capturing credit card data associated with the hacked Discord accounts. Compromised Discord servers can be used as a command and control channel for botnets or as a proxy for downloading data from hacked servers.

The packages were flagged by JFrog researchers Andrey Polkovnychenko and Shachar Menashe, who published their report on Wednesday. The malicious packages were reported to NPM code maintainers and were promptly removed. According to NPM records, the packages hadn’t racked up a large number of downloads prior to disclosure.

We’ve seen Python’s PyPi repository hacked with crypto mining malware earlier this year in June. NPM’s UAParser.js and Pac-Resolver libraries have also been infected and were downloaded millions of times by unsuspecting developers. 

In the News: The Dark Web has a Cybercourt for Cybercriminals


If it’s popular it’s safe?

These NPM infection attacks have been picking up pace in recent years. It’s a ripe attack vector. The NPM package library is trusted by millions of developers worldwide and hence makes it easy for threat actors to slip infected packages that deliver malicious payloads over a trusted service. 

The payloads vary from info stealers to full remote access backdoors. The packages also use different infection tactics, including typosquatting, dependency confusion and trojan functionality.

Here’s a list of all the affected NPM packages.

PackageVersionPayloadInfection Method
prerequests-xcode1.0.4Remote Access TrojanUnknown
discord-selfbot-v1412.0.3Discord token grabberTyposquatting/Trojan (discord.js)
discord-lofy11.5.1Discord token grabberTyposquatting/Trojan (discord.js)
discordsystem11.5.1Discord token grabberTyposquatting/Trojan (discord.js)
discord-vilao1.0.0Discord token grabberTyposquatting/Trojan (discord.js)
fix-error1.0.0PirateStealer (Discord malware)Trojan
wafer-bind1.1.2Environment variable stealerTyposquatting (wafer-*)
wafer-toggle1.15.4Environment variable stealerTyposquatting (wafer-*)
wafer-autocomplete1.25.0Environment variable stealerTyposquatting (wafer-*)
wafer-beacon1.3.3Environment variable stealerTyposquatting (wafer-*)
wafer-caas1.14.20Environment variable stealerTyposquatting (wafer-*)
wafer-geolocation1.2.10Environment variable stealerTyposquatting (wafer-*)
wafer-image1.2.2Environment variable stealerTyposquatting (wafer-*)
wafer-form1.30.1Environment variable stealerTyposquatting (wafer-*)
wafer-lightbox1.5.4Environment variable stealerTyposquatting (wafer-*)
octavius-public1.836.609Environment variable stealerTyposquatting (wafer-*)
mrg-message-broker9998.987.376Environment variable stealerDependency confusion

Discord token-grabbing malware is also on the rise and for several reasons. For one, Discord servers can be used as an anonymous command and control server to control a remote access trojan or even an entire botnet. Additionally, Discord can also be used as an anonymous data exfiltration channel using webhooks.

Hacked Discord accounts can also be used to spread malware to the account’s owner and their friends, a somewhat effective way of getting malware onto a large number of machines rather quickly.

Lastly, Discord operates a premium service called ‘Nitro.’ The service costs about $100 a year and unlocks cosmetic upgrades for the user and the ability to ‘boost’ their servers of choice. These premium accounts are often stolen and sold off far lower than the subscription price. 

In the News: Meta announces month-long “Stars Fest” on Facebook

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>