Malicious npm packages caught stealing Discord tokens, environment variables

The Node Package Manager (npm) security team has removed 17 JavaScript libraries this week that contained malicious code to collect and steal Discord access tokens and environment variables from users' computers.

"Luckily, these packages were removed before they could rack up a large number of downloads (based on npm records) so we managed to avoid a scenario similar to our last PyPI disclosure, where the malicious packages were downloaded tens of thousands of times before they were detected and removed," said Andrey Polkovnychenko and Shachar Menashe, two security researchers at DevOps security firm JFrog, and the ones who spotted and reported the malicious packages to the npm team.

Polkovnychenko and Menasche said that if a developer had downloaded and installed any of these libraries, they would have executed malicious code on their systems that either installed malware or collected data to send back to the attackers.

Four of the npm JavaScript libraries contained functions to collect Discord access tokens, which effectively act as authentication cookies and can allow attackers to hijack an infected developer's Discord account.

A fifth npm package contained a copy of PirateStealer, a piece of malware that could also extract other data from Discord apps and accounts, such as payment card details, login credentials, and personal information.

Another set of eleven libraries included functions that collected environment variables, which are details from a developer's local programming environment. These variables normally store user and OS information, but in some cases, they can also contain API keys and login credentials, something that an attacker would definitely be interested in collecting.

And last but not least, a 17th package also downloaded and installed a full-blown remote access trojan that granted the threat actor full control over a developer's computer.

PackageVersion PayloadInfection Method
prerequests-xcode1.0.4Remote Access Trojan (RAT)Unknown
discord-selfbot-v1412.0.3Discord token grabberTyposquatting/Trojan
discord-lofy11.5.1Discord token grabberTyposquatting/Trojan
discordsystem11.5.1Discord token grabberTyposquatting/Trojan
discord-vilao1.0.0Discord token grabberTyposquatting/Trojan
fix-error1.0.0PirateStealer (Discord malware)Trojan
wafer-bind1.1.2Environment variable stealerTyposquatting
wafer-autocomplete1.25.0Environment variable stealerTyposquatting
wafer-beacon1.3.3Environment variable stealerTyposquatting
wafer-caas1.14.20Environment variable stealerTyposquatting
wafer-toggle1.15.4Environment variable stealerTyposquatting
wafer-geolocation1.2.10Environment variable stealerTyposquatting
wafer-image1.2.2Environment variable stealerTyposquatting
wafer-form1.30.1Environment variable stealerTyposquatting (wafer-*)
wafer-lightbox1.5.4Environment variable stealerTyposquatting (wafer-*)
octavius-public1.836.609Environment variable stealerTyposquatting (octavius)
mrg-message-broker9998.987.376Environment variable stealerDependency confusion

However, while JFrog deserves credit for its recent discovery, the incident is not an isolated incident. This year, both JFrog and fellow DevOps security firm Sonatype have found tens of malicious libraries uploaded on both the npm (JavaScript) and PyPI (Python) package repositories, and all signs point to some sort of process automation in the creation of these malicious packages at scale.

There could be a lot to comment about how both npm and PyPI are to blame for this situation and for the wave of malicious libraries that are constantly being found on their platforms.

Neither service manually reviews package uploads, which has practically left the door open and invited such threat actors on their platforms.

However, we'd only sound like a broken record in the same ol' discussion that many security researchers have had on this topic for years, all of which have led to no change to how the two package repositories handle package submissions.

Instead, a clear trend this year is the sheer number of malicious npm and PyPI packages that have targeted the theft of Discord tokens.

As Polkovnychenko and Menasche point out, this could be explained by the increasing number of malware operations that use Discord accounts to host their payloads or collect information from their victims, in a trend also spotted by RiskIQCheck PointSophos, and Zscaler.

Since malware authors wouldn't want to create these accounts themselves, it makes sense to hijack or buy access to legitimate accounts for their operations.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.