NPM Packages Intruded By The Malware That Steals Discord User Data
NPM (Node Package Manager) is a code repository (a code repository is where snippets and patches of source code for software programs are archived in an organized way) where sharing and reusing of code blocks is done by Javascript developers, has been added with three malevolent software packages. These packages may have been used as the basic building blocks for web-based applications (unknowingly), and applications that would have been built by using these malicious packages of code will result in theft of user data of Discord users and their tokens.
Discord is meant to gather or bring together several users to build various communities on the Internet. Communities involving users on Discord are called “Server”, and the communities can be random individual groups or can be a piece of other websites, organizations, or platforms. Discord lets users to interact with others via text messages, voice call, and video call, and in addition, supports files and media sharing. Like any other platform, Discord also has bots that are designed with AI capable of welcoming new users and guiding them to the platform services, operations, and limitations, execute community outreach and take care of the users who break the rules of the platform. Bots also serve all communities to allow them to add features like polls, games, music, and prizes to their server. These bots contain platform tokens in their code which are utilized to control their actions like receiving and sending commands to the Discord API, and theft of these tokens could permit hackers/attackers to take control over the server.
Packages published by SCP-173, named an0n-chat-lib, that were deleted, were somehow still available for download on Friday. To trick developers into believing that they are genuine users, these packages utilize techniques like typosquatting and brandjacking. Researchers at Sonatype explained that they have discovered very clear evidence that the malware in this operation was utilizing bots of the Discord platform to create and display false downloads of the packages to trick users to download the package by displaying it as quite popular and legitimate.
The attackers involved in this operation are being considered the same that were behind another Discord malware called CursedGrabber and this was estimated because this package had similar characteristics to the CursedGrabber. The CursedGrabber is the Discord’s malware family which was first found in November 2020 and mainly targets Windows hosts. This malware contained two .exe (dot exe) files that are induced and executed via the “package.json” files post-install scripts. One of these exe files was responsible for extracting code from within that was capable of keylogging, accessing webcams, increasing privileges, setting up backdoors, storing screenshots, etc. and the second exe file mainly scanned profiles of the user from Discord’s leveldb files and several browsers, then steals payment card details and platform tokens. The stolen user data was later transmitted back to the attacker/hacker via a webhook.
Sonatype researchers also said that “These packages contain variations of Discord token stealing code from Discord malware discovered by Sonatype on numerous occasions.”
If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.