The security team at Node Package Manager (NPM), one of the largest open source package ecosystems in the world, has removed over a dozen of malicious NPM packages designed to collect and steal Discord access tokens and environment variables fr om users’ devices.
“Luckily, these packages were removed before they could rack up a large number of downloads (based on npm records) so we managed to avoid a scenario similar to our last PyPI disclosure, wh ere the malicious packages were downloaded tens of thousands of times before they were detected and removed,” wrote researchers at the security firm JFrog, who discovered and reported the malicious packages.
“The packages’ payloads are varied, ranging from infostealers up to full remote access backdoors. Additionally, the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality,” they added.
According to the researchers, four of the discovered malicious libraries contained code for stealing Discord access tokens, which is a set of letters and numbers that act as an authorization code to access Discord’s servers. One of the packages downloaded and installed a remote access trojan, which gives an attacker full control of victim’s machine, while another contained a copy of PirateStealer, a tool capable of stealing private data stored in the Discord client, such as credit cards, login credentials and personally identifiable information (PII).
Last but not least, a set of 11 malicious packages contained an environment variable stealer, designed to collect all of the victim process’ environment variables and send them to the attackers’ server.
“This is a dangerous payload since environment variables are a prime location for keeping secrets that need to be used by the runtime (as they are safer than keeping the secrets in cleartext storage, or passing the secrets via command-line variables),” the researchers note.
JFrog’s discovery is not an isolated incident. Earlier this year, malicious actors hijacked a popular JavaScript NPM library, ‘UA-Parser-JS library’, to infect Windows and Linux machines with crypto-miners and password-stealing malware. Soon after this, Sonatype researchers spotted two related malicious NPM libraries disguised as a legitimate package "noblox.js."
