Researchers found 17 more malicious packages in the npm repository, which stole credentials, tokens, other information about Discord servers and more. Tokens act as authentication cookies and allow receiving access to someone else’s Discord account.
JFrog specialists reported about the problem. They write that the payloads of malicious packages varied: from info-stealers to backdoors with full remote access. That is, it is assumed that the packages were created and distributed by different attackers.
JFrog reports that the following packages had malicious functionality:
Package | Version | Payload | Infection method |
prerequests-xcode | 1.0.4 | Remote Access Trojan (RAT) | Unknown |
discord-selfbot-v14 | 12.0.3 | Discord token thief | Typesquatting / Trojan |
discord-lofy | 11.5.1 | Discord token thief | Typesquatting / Trojan |
discordsystem | 11.5.1 | Discord token thief | Typesquatting / Trojan |
discord-vilao | 1.0.0 | Discord token thief | Typesquatting / Trojan |
fix-error | 1.0.0 | PirateStealer (Discord malware) | Trojan |
wafer-bind | 1.1.2 | Environment Variable Thief | Typesquatting |
wafer-autocomplete | 1.25.0 | Environment Variable Thief | Typesquatting |
wafer-beacon | 1.3.3 | Environment Variable Thief | Typesquatting |
wafer-caas | 1.14.20 | Environment Variable Thief | Typesquatting |
wafer-toggle | 1.15.4 | Environment Variable Thief | Typesquatting |
wafer-geolocation | 1.2.10 | Environment Variable Thief | Typesquatting |
wafer-image | 1.2.2 | Environment Variable Thief | Typesquatting |
wafer-form | 1.30.1 | Environment Variable Thief | Typesquatting (wafer- *) |
wafer-lightbox | 1.5.4 | Environment Variable Thief | Typesquatting (wafer- *) |
octavius-public | 1.836.609 | Environment Variable Thief | Typesquatting (octavius) |
mrg-message-broker | 9998.987.376 | Environment Variable Thief | Confusion of dependencies |
The aforementioned Discord token theft allowed attackers to use the platform as a hidden channel to steal data, distribute malware to other Discord users, and even sell Discord Nitro premium accounts to third parties who could then use them in their campaigns.
It is also emphasized that the prerequests-xcode package was especially dangerous and functioned as a full-fledged remote access Trojan, representing a port of DiscordRAT malware on Node.JS. It had the functionality to capture screenshots, collect data from the clipboard, execute arbitrary VBScript and PowerShell code, steal passwords, and download malicious files.
Let me remind you that we wrote that the PyPI repository got rid of 11 packages that were stealing Discord tokens and passwords.