Security researchers at Sonatype have discovered today an npm package (JavaScript library) that contains malicious code designed to steal sensitive files from a user’s browsers and Discord application.
Named discord.dll, the malicious JavaScript library is still available via npm, a web portal, command-line utility, and package manager for JavaScript programmers.
Developers use npm to load and then update libraries (npm packages) inside their JavaScript projects — may them be websites, desktop apps, or server applications.
Sonatype says that once installed, discord.dll will run malicious code to search a developer’s computer for certain applications and then retrieve their internal LevelDB databases.
Targeted apps include browsers like Google Chrome, Brave, Opera, and the Yandex Browser, but also the Discord instant messaging app, popular today with most online gamers.
The files the malware retrieves are LevelDB databases, which the aforementioned apps use to store information such as browsing histories and various access tokens.
Discord.dll would read the files and attempt to post their content in a Discord channel (as a Discord webhook).
Links to another malicious npm package
Sonatype said that after a review, it found that the malicious code was an improved version of a malicious library it saw in August. Named fallguys, this library, too, was collecting the same information, although in a less complicated manner.
Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services, said discord.dll was published more than five months ago and has been downloaded more than 100 times.
In contrast, despite being available on the npm portal for only two weeks, the fallguys package was downloaded more than 300 times.
The reason for the success of the first package can be linked to the fact that fallguys contained a README file advertising the library as an interface to the “Fall Guys: Ultimate Knockout” game API. On the other hand, the discord.dll package contained an empty README, suggesting that the project was either abandoned or never “officially” launched by its creator.
Other suspicious npm packages detected
The discord.dll package is still available on the npm portal, but Sonatype said it already notified the npm security team, and the package will most likely be removed in the coming days.
Furthermore, researchers also said the author of the discord.dll package had also uploaded ten other packages on the npm site, three of which contained malicious behavior that would download and run three mysterious EXE files, a non-standard behavior for JavaScript (npm) packages.
Since the EXE files could not be retrieved, researchers were unable to fully confirm the nature of the three libraries, named discord.app (88 downloads), ac-addon (46 downloads), and wsbd.js (38 downloads).