Select Page

Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down.

The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.js, crypto-js, discord.js, marked, and noblox.js, DevOps security firm JFrog said, attributing the packages as the work of “novice malware authors.”

The complete list of packages is below –

  • node-colors-sync (Discord token stealer)
  • color-self (Discord token stealer)
  • color-self-2 (Discord token stealer)
  • wafer-text (Environment variable stealer)
  • wafer-countdown (Environment variable stealer)
  • wafer-template (Environment variable stealer)
  • wafer-darla (Environment variable stealer)
  • lemaaa (Discord token stealer)
  • adv-discord-utility (Discord token stealer)
  • tools-for-discord (Discord token stealer)
  • mynewpkg (Environment variable stealer)
  • purple-bitch (Discord token stealer)
  • purple-bitchs (Discord token stealer)
  • noblox.js-addons (Discord token stealer)
  • kakakaakaaa11aa (Connectback shell)
  • markedjs (Python remote code injector)
  • crypto-standarts (Python remote code injector)
  • discord-selfbot-tools (Discord token stealer)
  • discord.js-aployscript-v11 (Discord token stealer)
  • discord.js-selfbot-aployscript (Discord token stealer)
  • discord.js-selfbot-aployed (Discord token stealer)
  • discord.js-discord-selfbot-v4 (Discord token stealer)
  • colors-beta (Discord token stealer)
  • vera.js (Discord token stealer)
  • discord-protection (Discord token stealer)

Discord tokens have emerged as lucrative means for threat actors to gain unauthorized access to accounts sans a password, enabling the operators to exploit the access to propagate malicious links via Discord channels.

Environment variables, stored as key-value pairs, are used to save information pertaining to the programming environment on the development machine, including API access tokens, authentication keys, API URLs, and account names.

Two rogue packages, named markedjs and crypto-standarts, stand out for their role as duplicate trojan packages in that they completely replicate the original functionality of well-known libraries marked and crypto-js, but feature additional malicious code to remotely inject arbitrary Python code.

images from Hacker News