Another set of malicious npm packages caught stealing Discord tokens, environment variables
Catalin Cimpanu February 22, 2022

Another set of malicious npm packages caught stealing Discord tokens, environment variables

Catalin Cimpanu

February 22, 2022

Another set of malicious npm packages caught stealing Discord tokens, environment variables

DevOps security firm JFrog said today that it found and helped remove 25 malicious JavaScript libraries from the official npm package repository.

All 25 libraries mimicked the names of more popular libraries, the company said in a blog post today, hoping that developers would accidentally include them in their projects when mistyping names or not researching a package’s origin thoroughly enough.

JFrog said the libraries also contained different types of malicious code, which suggests they were created by different threat actors, each pursuing different goals.

Seventeen of the 25 libraries were designed to steal Discord access tokens from the computers where the malicious code was executed.

If it sounds like a strange target, the reality is that Discord tokens are a highly valuable resource, working similar to browser authentication cookies, allowing attackers to access accounts without providing a password.

These tokens are often sold in underground circles and are typically acquired by spammers, who use them to gain access to user accounts and then flood Discord channels and their respective users with ads and even malicious links.

Five other packages contained code that stole environment variables from the infected projects, which are details from a developer’s local programming environment.

These variables typically store OS information, but in some cases, they can also contain API keys and login credentials for cloud services, information that many attackers like to collect.

But the most dangerous packages were the last three, which allowed attackers to run their own commands on user systems via either Python code or shell commands.

JFrog described the threat actors as “novice hackers” since all they’ve done was to copy a legitimate package and then insert the malicious functionality. The research team said that while all of this involved minimal effort, if the packages weren’t detected, the attacks would have had a high return on investment (ROI), which is why they expect to see similar malicious packages flood the npm repository in the future.

This is the second time in three months that JFrog found malicious npm packages designed to steal Discord tokens and environemtn variables after finding and reporting 17 similar packages in December 2021.

The list of the 25 malicious npm libraries is below.

PackagePayloadInfection Method
node-colors-syncDiscord token stealerMasquerading (colors)
color-selfDiscord token stealerMasquerading (colors)
color-self-2Discord token stealerMasquerading (colors)
wafer-textEnvironment variable stealerTyposquatting (wafer-*)
wafer-countdownEnvironment variable stealerTyposquatting (wafer-*)
wafer-templateEnvironment variable stealerTyposquatting (wafer-*)
wafer-darlaEnvironment variable stealerTyposquatting (wafer-*)
lemaaaDiscord token stealerHidden functionality
adv-discord-utilityDiscord token stealerUnknown
tools-for-discordDiscord token stealerUnknown
mynewpkgEnvironment variable stealerUnknown
purple-bitchDiscord token stealerUnknown
purple-bitchsDiscord token stealerUnknown
noblox.js-addonsDiscord token stealerMasquerading (noblox.js)
kakakaakaaa11aaConnectback shellUnknown
markedjsPython remote code injectorMasquerading (marked)
crypto-standartsPython remote code injectorMasquerading (crypto-js)
discord-selfbot-toolsDiscord token stealerMasquerading (discord.js)
discord.js-aployscript-v11Discord token stealerMasquerading (discord.js)
discord.js-selfbot-aployscriptDiscord token stealerMasquerading (discord.js)
discord.js-selfbot-aployedDiscord token stealerMasquerading (discord.js)
discord.js-discord-selfbot-v4Discord token stealerMasquerading (discord.js)
colors-betaDiscord token stealerMasquerading (colors)
vera.jsDiscord token stealerUnknown
discord-protectionDiscord token stealerUnknown

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.