NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package

Another day, another NPM typosquatting attack.


  • ReversingLabs researchers have discovered a new typosquatting campaign exploiting the NPM platform.
  • Researchers observed a malicious NPM package called node-hide-console-windows delivering the r77 rootkit to innocent users.
  • Typosquatting is a deceptive method where cybercriminals create domain names and social media accounts using the same spelling as the original organization’s name.
  • 10 versions of the malicious NPM package were discovered. 
  • In this cybersquatting attack, scammers have exploited the legitimate package node-hide-console-window to deceive users.

ReversingLabs’ cybersecurity researchers have uncovered a malicious NPM package (node-hide-console-windows) created using typosquatting to resemble a legitimate NPM package called node-hide-console-window.

As evident, the attackers have added an ‘s’ in the title of the malicious package to separate it from the original one. The concerning part is that this malicious package has been downloaded over 700 times. This campaign started at the end of August 2023.

ReversingLabs revealed that when a user installs this malicious package, a Discord bot is downloaded that plants the open-source r77 rootkit. This rootkit hides itself within the OS to remain undetected and lets the attacker obtain complete control of the victim’s device.

Researchers examined the executable fetched by a file titled index.js, which turned out to be DiscordRAT 2.0. All ten versions of the malicious NPM package downloaded the same DiscordRAT2.0 executable. However, the last two versions contained an additional malicious payload disguised as a visual code update and fetched by index.js.

For your information, DiscordRAT 2.0 is a Discord Remote Administration Tool promoted for training purposes but is an open-source malware. Threat actors must register the bot with the Discord developer portal and add it to the Discord server or guild before deploying it. The guild ID is added to the DiscordRAT 2.0 executable and delivered to the victims through phishing email attachments or packages available on public repositories.

Further probing revealed that the Discord guild for the malware was launched on August 15, just 10 days before the malicious NPM package’s first version was published. The executable creates a channel in the connected Discord server for each victim and sends the initial payload to the infected host.

From there, the bot receives additional commands from the attacker and can perform a range of tasks like disabling Windows Defender, blocking the victim’s mouse and keyboard, bluescreening the device, and killing processes. There’s a long list of commands it facilitates but most important is the ‘!rootkit’ command recently added to DiscordRAT 2.0 to launch the r77 rootkit on the infected device.

This open-source, fileless ring 3 toolkit features extensive documentation and can disguise files/processes. This rootkit hides itself within the OS to remain undetected and lets the attacker obtain complete control of the victim’s device.

It is worth noting that this is the first time researchers have identified a malicious NPM package that facilitates functionality. This indicates a need to secure open-source projects as cybercriminals are preferring to exploit them to distribute malware.

Attackers used other tactics to ensure developers added the malicious package to their applications, such as creating an NPM page similar to the legitimate package’s page. Moreover, just like the original package, the malicious one also featured 10 published versions.

In their blog post, researchers have noted an uptick in campaigns exploiting the NPM package register platform. In August 2023, ReversingLabs researchers discovered multiple malicious NPM packages linked to a campaign targeting cryptocurrency providers. 

Another NPM-related campaign was discovered in July 2023, targeting developers and end-users with malicious code that stole sensitive user data via fake login forms and implanted credential-stealing scripts in apps that unintentionally incorporated NPM packages.

For your information, the original package (node-hide-console-window) is used to toggle the console window visibility of an application.

In order to protect yourself against typosquatting attacks, it is essential to check the addresses while typing or searching for addresses/packages online so that you visit the original site/repository.

In addition, closely inspect the package’s name and description before installing. Install a reliable security solution to detect/block malicious packages timely. If you suspect your device is infected with the r77 rootkit, quickly run a system scam using a reliable antivirus and change the passwords for all accounts, especially banking passwords.

  1. Luna Grabber Malware Hits Roblox Devs Through npm Packages
  2. 6 official Python repositories plagued with cryptomining malware
  3. CISA warns of trojanized versions of JavaScript library’s NPM package
  4. VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
  5. Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript
Related Posts