JFrog Security, a DevOps security firm, today announced that it discovered and helped remove 25 malicious JavaScript library from the official npm package repository.
The company stated that all 25 libraries mirrored the names of other libraries in a statement. blog post today, hoping that developers would accidentally include them in their projects when mistyping names or not researching a package’s origin thoroughly enough.
JFrog claimed that the libraries also contained malicious code of different types, which suggests that they were created and maintained by different threat actors with different goals.
Seventeen libraries were set up to steal Discord access keys from the computers that ran the malicious code.
Although it may sound odd, Discord tokens are actually a valuable resource. They function in a similar way to browser authentication cookies. This allows attackers to gain access to accounts without having to provide a password.
These tokens are often traded underground and are commonly used by spammers to gain access user accounts. They then flood Discord channels with ads and malicious links.
Five other packages contained code that stole environment variables from the infected projects, which are details from a developer’s local programming environment.
These variables usually store OS information but can also contain API keys or login credentials for cloud services. This is information that many attackers love to collect.
But the most dangerous package was the last three. They allowed attackers access to user systems via Python code and shell commands.
JFrog described the threat actors as “novice hackers” since all they’ve done was to copy a legitimate package and then insert the malicious functionality. The research team said that while all of this involved minimal effort, if the packages weren’t detected, the attacks would have had a high return on investment (ROI), which is why they expect to see similar malicious packages flood the npm repository in the future.
JFrog discovered malicious npm packages that were designed to steal Discord tokens.
Below is a list of 25 malicious npm library addresses.
| Package | Payload | Method for Infection |
| node-colors-sync | Discord token stealer | Masquerading (colors) |
| color-self | Discord token stealer | Masquerading (colors) |
| color-self-2 | Discord token stealer | Masquerading (colors) |
| wafer-text | Environment variable stealer | Typosquatting (wafer-*) |
| wafer-countdown | Environment variable stealer | Typosquatting (wafer-*) |
| wafer-template | Environment variable stealer | Typosquatting (wafer-*) |
| wafer-darla | Environment variable stealer | Typosquatting (wafer-*) |
| lemaaa | Discord token stealer | Hidden functionality |
| adv-discord-utility | Discord token stealer | Unknown |
| tools-for-discord | Discord token stealer | Unknown |
| mynewpkg | Environment variable stealer | Unknown |
| purple-bitch | Discord token stealer | Unknown |
| purple-bitchs | Discord token stealer | Unknown |
| noblox.js-addons | Discord token stealer | Masquerading (noblox.js) |
| kakakaakaaa11aa | Connectback shell | Unknown |
| Markjs | Python remote code injector | Masquerading (Marked) |
| crypto-standarts | Python remote code injector | Masquerading (crypto-js) |
| discord-selfbot-tools | Discord token stealer | Masquerading (discord.js) |
| discord.js-aployscript-v11 | Discord token stealer | Masquerading (discord.js) |
| discord.js-selfbot-aployscript | Discord token stealer | Masquerading (discord.js) |
| discord.js-selfbot-aployed | Discord token stealer | Masquerading (discord.js) |
| discord.js-discord-selfbot-v4 | Discord token stealer | Masquerading (discord.js) |
| colors-beta | Discord token stealer | Masquerading (colors) |
| vera.js | Discord token stealer | Unknown |
| discord-protection | Discord token stealer | Unknown |
Catalin Cimpanu is a cybersecurity reporter with The Record. He worked previously at ZDNet as well as Bleeping Computer. There he was a well-known figure in the industry due to his constant scoops on cyberattacks, vulnerabilities, and law enforcement against hackers.
