Discord-Stealing Malware Invades npm Packages


The CursedGrabber malware has infiltrated the open-source software code repository.

Three malicious software packages are published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat as long as they’ll be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.

Discord is meant for creating communities on the online , called “servers,” either as standalone forums or as a part of another website. Users communicate with voice calls, video calls, text messaging, media and files. Discord “bots” are central to its function; these are AIs which will be programmed to moderate discussion forums, welcome and guide new members, police rule-breakers and perform community outreach. They also want to add features to the server, like music, games, polls, prizes and more.

Discord tokens are used inside bot code to send commands back and forth to the Discord API, which successively controls bot actions. If a Discord token is stolen, it might allow an attacker to hack the server

As of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by “scp173-deleted”) were still available for download. they create use of brandjacking and typosquatting to lure developers into thinking they’re legitimate. There’s also “clear evidence that the malware campaign was employing a Discord bot to get fake download counts for the packages to form them appear more popular to potential users,” consistent with researchers at Sonatype.

The authors are an equivalent operators behind the CursedGrabber Discord malware, the researchers said, and therefore the packages share DNA thereupon threat.

The CursedGrabber Discord malware family, discovered in November, targets Windows hosts. It contains two .exe files which are invoked and executed via ‘postinstall’ scripts from the manifest file, ‘package.json’. one among the .exe files scans user profiles from multiple web browsers along side Discord leveldb files, steals Discord tokens, steals credit-card information, and sends user data via a webhook to the attacker. The second unpacks additional code with multiple capabilities, including privilege escalation, keylogging, taking screenshots, planting backdoors, accessing webcams then on.

In the case of the three npm packages, these “contain variations of Discord token-stealing code from the Discord malware discovered by Sonatype on numerous occasions,” said Sonatype security researcher Ax Sharma, during a Friday blog posting.

Open-Source Software Repository Malware

Uploading malicious packages to code repositories is an increasingly common tactic employed by malware operators. In December as an example , RubyGems, an open-source package repository and manager for the Ruby web programing language , had to require two of its software packages offline after they were found to be laced with malware.

The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s. So, if a user of a corrupted web app built using the gems were to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would get replaced thereupon by the attacker.

“We have repeatedly seen…open-source malware striking GitHub, npm and RubyGems, attackers can exploit trust within the open-source community to deliver just about anything malicious, from sophisticated spying trojans like njRAT, to…CursedGrabber,” Sharma told in an interview.

The latest findings reiterate that software supply-chain attacks will only become more common and underscore how crucial it’s for organizations that protect against such attacks and continuously improve their strategies against them, consistent with Sonatype.


Please enter your comment!
Please enter your name here