17 malicious npm packages stole Discord tokens

by Emma Davis
December 10, 2021
npm stole Discord tokens
Written by Emma Davis

Researchers found 17 more malicious packages in the npm repository, which stole credentials, tokens, other information about Discord servers and more. Tokens act as authentication cookies and allow receiving access to someone else’s Discord account.

JFrog specialists reported about the problem. They write that the payloads of malicious packages varied: from info-stealers to backdoors with full remote access. That is, it is assumed that the packages were created and distributed by different attackers.

The packages have different infection tactics, including the use of typesquatting, dependency confusion and Trojan horse functions.the company said in a report.

JFrog reports that the following packages had malicious functionality:

PackageVersionPayloadInfection method
prerequests-xcode1.0.4Remote Access Trojan (RAT)Unknown
discord-selfbot-v1412.0.3Discord token thiefTypesquatting / Trojan
discord-lofy11.5.1Discord token thiefTypesquatting / Trojan
discordsystem11.5.1Discord token thiefTypesquatting / Trojan
discord-vilao1.0.0Discord token thiefTypesquatting / Trojan
fix-error1.0.0PirateStealer (Discord malware)Trojan
wafer-bind1.1.2Environment Variable ThiefTypesquatting
wafer-autocomplete1.25.0Environment Variable ThiefTypesquatting
wafer-beacon1.3.3Environment Variable ThiefTypesquatting
wafer-caas1.14.20Environment Variable ThiefTypesquatting
wafer-toggle1.15.4Environment Variable ThiefTypesquatting
wafer-geolocation1.2.10Environment Variable ThiefTypesquatting
wafer-image1.2.2Environment Variable ThiefTypesquatting
wafer-form1.30.1Environment Variable ThiefTypesquatting (wafer- *)
wafer-lightbox1.5.4Environment Variable ThiefTypesquatting (wafer- *)
octavius-public1.836.609Environment Variable ThiefTypesquatting (octavius)
mrg-message-broker9998.987.376Environment Variable ThiefConfusion of dependencies
Fortunately, all packages were removed before they could have a large number of installations (according to npm data), so we managed to avoid a PyPI-like scenario where malicious packages were downloaded tens of thousands of times before they were discovered and removed.experts say.

The aforementioned Discord token theft allowed attackers to use the platform as a hidden channel to steal data, distribute malware to other Discord users, and even sell Discord Nitro premium accounts to third parties who could then use them in their campaigns.

It is also emphasized that the prerequests-xcode package was especially dangerous and functioned as a full-fledged remote access Trojan, representing a port of DiscordRAT malware on Node.JS. It had the functionality to capture screenshots, collect data from the clipboard, execute arbitrary VBScript and PowerShell code, steal passwords, and download malicious files.

Recently, we have seen a real flurry of malware that is hosted and delivered through open-source repositories. Public repositories have become a convenient tool for distributing malware: the repository server is a trusted resource, and interaction with it does not raise suspicions from antivirus or firewall. In addition, the ease of installation with automation tools such as the npm client provides a ready-made attack vector.they write.

Let me remind you that we wrote that the PyPI repository got rid of 11 packages that were stealing Discord tokens and passwords.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending