DevOps security firm JFrog discovered 17 new malicious packages in the npm (Node.js package manager) repository that intentionally seek to attack and steal a user’s Discord tokens.
Shachar Menashe, senior director of JFrog security research, and Andrey Polkovnychenko said the packages intentionally seek to hijack a user’s Discord token, effectively giving them full control over the user’s account.
“This type of attack has severe implications if executed well and in this case public hack tools made such an attack easy enough for even a novice hacker to perform,” Menashe said. “We recommend organizations take precaution and manage their use of npm for software curation, to reduce the risk of introducing malicious code into their applications.”
The two explained that the packages’ payloads are varied, ranging from infostealers to full remote access backdoors. They added that the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.
The packages have been removed from the npm repository and the JFrog security research team said they were taken down “before they could rack up a large number of downloads.”
JFrog noted that there has been an increase in malware aimed at stealing Discord tokens due to the fact that the platform now has more than 350 million registered users and can be used as anonymous command & control (C2) servers and for social engineering purposes.
“Due to the popularity of this attack payload, there are quite a lot of Discord token grabbers posted with build instructions on GitHub. An attacker can take one of these templates and develop custom malware without extensive programming skills – meaning any novice hacker can do this with ease in a matter of minutes,” the researchers explained.
“As mentioned, this can be used in tandem with a variety of online obfuscation tools to avoid basic detection techniques. It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.”
Their report on the situation notes that JFrog has found a “barrage of malicious software hosted and delivered through open-source software repositories,” adding that public repositories like PyPI and npm have become a handy instrument for malware distribution.
“The repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector,” the researchers said.
The Record explained that npm does not manually review package uploads, giving cybercriminals free reign to upload whatever they want.
John Bambenek, principal threat hunter at Netenrich, said cybersecurity experts have seen for a while attempts to insert malicious code or set up malicious libraries into PyPI and npm for some time.
“Automation is the next logical step for the attackers to increase the number of victims they have control of,” Bambenek said. “The malicious code usually is not in place for very long, but if you do it at scale, odds are you are collecting victims at a rapid pace.”