Seventeen malicious packages were found in the open-source NPM repository. Most of these packages either steal credentials or Discord tokens, with some going as far as capturing credit card data associated with the hacked Discord accounts. Compromised Discord servers can be used as a command and control channel for botnets or as a proxy for downloading data from hacked servers.
The packages were flagged by JFrog researchers Andrey Polkovnychenko and Shachar Menashe, who published their report on Wednesday. The malicious packages were reported to NPM code maintainers and were promptly removed. According to NPM records, the packages hadn’t racked up a large number of downloads prior to disclosure.
We’ve seen Python’s PyPi repository hacked with crypto mining malware earlier this year in June. NPM’s UAParser.js and Pac-Resolver libraries have also been infected and were downloaded millions of times by unsuspecting developers.
In the News: The Dark Web has a Cybercourt for Cybercriminals
If it’s popular it’s safe?
These NPM infection attacks have been picking up pace in recent years. It’s a ripe attack vector. The NPM package library is trusted by millions of developers worldwide and hence makes it easy for threat actors to slip infected packages that deliver malicious payloads over a trusted service.
The payloads vary from info stealers to full remote access backdoors. The packages also use different infection tactics, including typosquatting, dependency confusion and trojan functionality.
Here’s a list of all the affected NPM packages.
Package | Version | Payload | Infection Method |
---|---|---|---|
prerequests-xcode | 1.0.4 | Remote Access Trojan | Unknown |
discord-selfbot-v14 | 12.0.3 | Discord token grabber | Typosquatting/Trojan (discord.js) |
discord-lofy | 11.5.1 | Discord token grabber | Typosquatting/Trojan (discord.js) |
discordsystem | 11.5.1 | Discord token grabber | Typosquatting/Trojan (discord.js) |
discord-vilao | 1.0.0 | Discord token grabber | Typosquatting/Trojan (discord.js) |
fix-error | 1.0.0 | PirateStealer (Discord malware) | Trojan |
wafer-bind | 1.1.2 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-toggle | 1.15.4 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-autocomplete | 1.25.0 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-beacon | 1.3.3 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-caas | 1.14.20 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-geolocation | 1.2.10 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-image | 1.2.2 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-form | 1.30.1 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-lightbox | 1.5.4 | Environment variable stealer | Typosquatting (wafer-*) |
octavius-public | 1.836.609 | Environment variable stealer | Typosquatting (wafer-*) |
mrg-message-broker | 9998.987.376 | Environment variable stealer | Dependency confusion |
Discord token-grabbing malware is also on the rise and for several reasons. For one, Discord servers can be used as an anonymous command and control server to control a remote access trojan or even an entire botnet. Additionally, Discord can also be used as an anonymous data exfiltration channel using webhooks.
Hacked Discord accounts can also be used to spread malware to the account’s owner and their friends, a somewhat effective way of getting malware onto a large number of machines rather quickly.
Lastly, Discord operates a premium service called ‘Nitro.’ The service costs about $100 a year and unlocks cosmetic upgrades for the user and the ability to ‘boost’ their servers of choice. These premium accounts are often stolen and sold off far lower than the subscription price.
In the News: Meta announces month-long “Stars Fest” on Facebook