Security News > 2021 > January > Discord-Stealing Malware Invades npm Packages

The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.

There is also "Clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users," according to researchers at Sonatype.

The authors are the same operators behind the CursedGrabber Discord malware, the researchers said, and the packages share DNA with that threat.

Exe files scans user profiles from multiple web browsers along with Discord leveldb files, steals Discord tokens, steals credit-card information, and sends user data via a webhook to the attacker.

In the case of the three npm packages, these "Contain variations of Discord token-stealing code from the Discord malware discovered by Sonatype on numerous occasions," said Sonatype security researcher Ax Sharma, in a Friday blog posting.

In December for instance, RubyGems, an open-source package repository and manager for the Ruby web programming language, had to take two of its software packages offline after they were found to be laced with malware.

News URL

https://threatpost.com/discord-stealing-malware-npm-packages/163265/