17 malicious npm packages stole Discord tokens

by Emma Davis
December 10, 2021

Researchers found 17 more malicious packages in the npm repository, which stole credentials, tokens, other information about Discord servers and more. Tokens act as authentication cookies and allow receiving access to someone else’s Discord account.

JFrog specialists reported about the problem. They write that the payloads of malicious packages varied: from info-stealers to backdoors with full remote access. That is, it is assumed that the packages were created and distributed by different attackers.

The packages have different infection tactics, including the use of typesquatting, dependency confusion and Trojan horse functions.the company said in a report.

JFrog reports that the following packages had malicious functionality:

Package Version Payload Infection method
prerequests-xcode 1.0.4 Remote Access Trojan (RAT) Unknown
discord-selfbot-v14 12.0.3 Discord token thief Typesquatting / Trojan
discord-lofy 11.5.1 Discord token thief Typesquatting / Trojan
discordsystem 11.5.1 Discord token thief Typesquatting / Trojan
discord-vilao 1.0.0 Discord token thief Typesquatting / Trojan
fix-error 1.0.0 PirateStealer (Discord malware) Trojan
wafer-bind 1.1.2 Environment Variable Thief Typesquatting
wafer-autocomplete 1.25.0 Environment Variable Thief Typesquatting
wafer-beacon 1.3.3 Environment Variable Thief Typesquatting
wafer-caas 1.14.20 Environment Variable Thief Typesquatting
wafer-toggle 1.15.4 Environment Variable Thief Typesquatting
wafer-geolocation 1.2.10 Environment Variable Thief Typesquatting
wafer-image 1.2.2 Environment Variable Thief Typesquatting
wafer-form 1.30.1 Environment Variable Thief Typesquatting (wafer- *)
wafer-lightbox 1.5.4 Environment Variable Thief Typesquatting (wafer- *)
octavius-public 1.836.609 Environment Variable Thief Typesquatting (octavius)
mrg-message-broker 9998.987.376 Environment Variable Thief Confusion of dependencies
Fortunately, all packages were removed before they could have a large number of installations (according to npm data), so we managed to avoid a PyPI-like scenario where malicious packages were downloaded tens of thousands of times before they were discovered and removed.experts say.

The aforementioned Discord token theft allowed attackers to use the platform as a hidden channel to steal data, distribute malware to other Discord users, and even sell Discord Nitro premium accounts to third parties who could then use them in their campaigns.

It is also emphasized that the prerequests-xcode package was especially dangerous and functioned as a full-fledged remote access Trojan, representing a port of DiscordRAT malware on Node.JS. It had the functionality to capture screenshots, collect data from the clipboard, execute arbitrary VBScript and PowerShell code, steal passwords, and download malicious files.

Recently, we have seen a real flurry of malware that is hosted and delivered through open-source repositories. Public repositories have become a convenient tool for distributing malware: the repository server is a trusted resource, and interaction with it does not raise suspicions from antivirus or firewall. In addition, the ease of installation with automation tools such as the npm client provides a ready-made attack vector.they write.

Let me remind you that we wrote that the PyPI repository got rid of 11 packages that were stealing Discord tokens and passwords.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment