Another set of malicious npm packages caught stealing Discord tokens, environment variables
All 25 libraries mimicked the names of more popular libraries, the company said in a blog post today, hoping that developers would accidentally include them in their projects when mistyping names or not researching a package's origin thoroughly enough.
JFrog said the libraries also contained different types of malicious code, which suggests they were created by different threat actors, each pursuing different goals.
Seventeen of the 25 libraries were designed to steal Discord access tokens from the computers where the malicious code was executed.
If it sounds like a strange target, the reality is that Discord tokens are a highly valuable resource, working similar to browser authentication cookies, allowing attackers to access accounts without providing a password.
These tokens are often sold in underground circles and are typically acquired by spammers, who use them to gain access to user accounts and then flood Discord channels and their respective users with ads and even malicious links.
Five other packages contained code that stole environment variables from the infected projects, which are details from a developer's local programming environment.
These variables typically store OS information, but in some cases, they can also contain API keys and login credentials for cloud services, information that many attackers like to collect.
But the most dangerous packages were the last three, which allowed attackers to run their own commands on user systems via either Python code or shell commands.
JFrog described the threat actors as "novice hackers" since all they've done was to copy a legitimate package and then insert the malicious functionality. The research team said that while all of this involved minimal effort, if the packages weren't detected, the attacks would have had a high return on investment (ROI), which is why they expect to see similar malicious packages flood the npm repository in the future.
This is the second time in three months that JFrog found malicious npm packages designed to steal Discord tokens and environemtn variables after finding and reporting 17 similar packages in December 2021.
The list of the 25 malicious npm libraries is below.
|node-colors-sync||Discord token stealer||Masquerading (colors)|
|color-self||Discord token stealer||Masquerading (colors)|
|color-self-2||Discord token stealer||Masquerading (colors)|
|wafer-text||Environment variable stealer||Typosquatting (wafer-*)|
|wafer-countdown||Environment variable stealer||Typosquatting (wafer-*)|
|wafer-template||Environment variable stealer||Typosquatting (wafer-*)|
|wafer-darla||Environment variable stealer||Typosquatting (wafer-*)|
|lemaaa||Discord token stealer||Hidden functionality|
|adv-discord-utility||Discord token stealer||Unknown|
|tools-for-discord||Discord token stealer||Unknown|
|mynewpkg||Environment variable stealer||Unknown|
|purple-bitch||Discord token stealer||Unknown|
|purple-bitchs||Discord token stealer||Unknown|
|noblox.js-addons||Discord token stealer||Masquerading (noblox.js)|
|markedjs||Python remote code injector||Masquerading (marked)|
|crypto-standarts||Python remote code injector||Masquerading (crypto-js)|
|discord-selfbot-tools||Discord token stealer||Masquerading (discord.js)|
|discord.js-aployscript-v11||Discord token stealer||Masquerading (discord.js)|
|discord.js-selfbot-aployscript||Discord token stealer||Masquerading (discord.js)|
|discord.js-selfbot-aployed||Discord token stealer||Masquerading (discord.js)|
|discord.js-discord-selfbot-v4||Discord token stealer||Masquerading (discord.js)|
|colors-beta||Discord token stealer||Masquerading (colors)|
|vera.js||Discord token stealer||Unknown|
|discord-protection||Discord token stealer||Unknown|
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.