Another npm package was stealing information from browsers and Discord

npm package was stealing information
Written by Emma Davis

The most popular JavaScript package manager is back in trouble. Another npm package (Node Package Manager) was stealing information from browsers and Discord.

Researchers from Sonatype discovered a malicious discord.dll library published about 5 months ago designed to steal confidential files from browsers and Discord.

Once installed, discord.dll runs malicious code to search the developer’s computer for specific applications, and then extracts their internal LevelDB databases, where data such as browsing history and various access tokens are stored.

In particular, the malware was interested in the browsers Google Chrome, Brave, Opera and Yandex.Browser, as well as the Discord messenger, which is mostly popular among gamers. Discord.dll sent data stolen from these applications to a special Discord channel.told Sonatype researchers.

The researchers write that this malware is an improved version of another malicious library discovered in early autumn. Let me remind you that then the malicious fallguys package, supposedly designed to work with the API of the game Fall Guys: Ultimate Knockout, collected the same information about the developers, but in a slightly different way.

Interestingly, fallguys was available for download for only two weeks, but during this time the package was downloaded more than 300 times. In turn, discord.dll was available for almost six months, but gained only about 100 downloads.

The researchers believe that the popularity of the first package could be attributed to the content of its README file, where the library was advertised as an interface to the Fall Guys: Ultimate Knockout API. Whereas the README file discord.dll was empty, which usually indicates that the project was abandoned or was not “officially” launched by the author at all.

Currently, the malicious discord.dll has already been removed by the npm security team, but the author of the package managed to upload ten other packages to the site, three of which also exhibit malicious behavior: they download and run three obscure EXE files (bd.exe, dropper.exe and lib.exe).also reported Sonatype researchers.

Unfortunately, the researchers were unable to examine these files, so no definitive conclusions were drawn. However, Sonatype still warns of the potential dangers of (88 downloads), ac-addon (46 downloads), and wsbd.js (38 downloads), which are still available for download.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply