Cybercriminals hit malware authors with malicious NPM packages

Discord tokens have become the perfect medium for cybercriminals to gain unauthorized access to accounts allowing the operators to distribute malicious links through compromised Discord channels. 

According to a new report from JFrog researchers, published on 22 February, the company has dubbed the attack as “Malware Civil War” after its scanners detected 25 malicious NPM (node package manager) packages most of which were Discord token stealers. Surprisingly, malware authors are targeting their rival malware authors in this instance.

What Happens When Discord Tokens are Stolen

When a threat actor manages to steal environment variables and Discord tokens from infected systems, they can use them to infiltrate their target’s account to hijack Discord servers. These servers are valuable assets and much sought-after in underground criminal marketplaces.

Details of Malicious NPM Packages

According to researchers, the malicious packages are leveraging typosquatting techniques and are the work of unsophisticated or “novice” malware authors. The packages were discovered in the NPM repository.

As per the findings of JFrog’s cybersecurity researchers, 25 malicious packages were masqueraded as colors.js, crypto-js, discord.js, marked, and noblox.js. Most of these packages were removed by their maintainers upon detection.

Most Damaging Packages?

Markedjs and crypto.js are two of the rogue packages that are the most lethal as these can duplicate trojan packages and replicate the original functionalities of known libraries. Additionally, these packages feature malicious code to inject arbitrary Python code remotely.

Lemaaa is another damaging package. It is basically a library used by threat actors to exploit Discord accounts, stated DevOps firm JFrog’s researchers Andrey Polkovnychenko and Shachar Menashe. Lemaaa can use the supplied Discord token to steal its victim’s credit card data, hijack the account by modifying the email and account password, and remove all the contact information.

When used in a certain way, the library will hijack the secret Discord token given to it, in addition to performing the requested utility function.

Andrey Polkovnychenko and Shachar Menashe – JFrog

More Rival vs. Rival News

  1. Ticketmaster hacked a rival and now it’s paying a $10m fine for it
  2. OGUsers hacking forum hacked; entire database dumped on rival forum
  3. Executive hacked competitor’s website to steal students meal preferences

On the other hand, Vera.js is a Discord token stealer that employs a unique approach to perform token theft as it doesn’t obtain information from local disk storage but retrieves the token from the local storage of a web browser. Through this tactic, it can steal tokens generated while using the web browser to log into the Discord website and not the Discord app, which saves the token to local storage.

These findings reveal how NPM can be abused to deploy numerous types of payloads from remote access backdoors to info-stealers. Developers must examine their packages’ dependencies to prevent dependency confusion and typosquatting attacks.

Related Posts