The most popular JavaScript package manager is back in trouble. Another npm package (Node Package Manager) was stealing information from browsers and Discord.
Researchers from Sonatype discovered a malicious discord.dll library published about 5 months ago designed to steal confidential files from browsers and Discord.Once installed, discord.dll runs malicious code to search the developer’s computer for specific applications, and then extracts their internal LevelDB databases, where data such as browsing history and various access tokens are stored.
The researchers write that this malware is an improved version of another malicious library discovered in early autumn. Let me remind you that then the malicious fallguys package, supposedly designed to work with the API of the game Fall Guys: Ultimate Knockout, collected the same information about the developers, but in a slightly different way.
Interestingly, fallguys was available for download for only two weeks, but during this time the package was downloaded more than 300 times. In turn, discord.dll was available for almost six months, but gained only about 100 downloads.
The researchers believe that the popularity of the first package could be attributed to the content of its README file, where the library was advertised as an interface to the Fall Guys: Ultimate Knockout API. Whereas the README file discord.dll was empty, which usually indicates that the project was abandoned or was not “officially” launched by the author at all.
Unfortunately, the researchers were unable to examine these files, so no definitive conclusions were drawn. However, Sonatype still warns of the potential dangers of discord.app (88 downloads), ac-addon (46 downloads), and wsbd.js (38 downloads), which are still available for download.