At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a recent barrage of malicious software hosted and delivered through open-source software repositories such as PyPi and RubyGems.
DevOps firm JFrog said the libraries, now taken down, were designed to grab Discord access tokens and environment variables from users’ computers as well as gain full control over a victim’s system.
“The packages’ payloads are varied, ranging from infostealers up to full remote access backdoors,” researchers Andrey Polkovnychenko and Shachar Menashe said in a report published Wednesday. “Additionally, the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.”
The list of packages is below –
- prerequests-xcode (version 1.0.4)
- discord-selfbot-v14 (version 12.0.3)
- discord-lofy (version 11.5.1)
- discordsystem (version 11.5.1)
- discord-vilao (version 1.0.0)
- fix-error (version 1.0.0)
- wafer-bind (version 1.1.2)
- wafer-autocomplete (version 1.25.0)
- wafer-beacon (version 1.3.3)
- wafer-caas (version 1.14.20)
- wafer-toggle (version 1.15.4)
- wafer-geolocation (version 1.2.10)
- wafer-image (version 1.2.2)
- wafer-form (version 1.30.1)
- wafer-lightbox (version 1.5.4)
- octavius-public (version 1.836.609)
- mrg-message-broker (version 9998.987.376)
As prior research has established, collaboration and communication tools like Discord and Slack have become handy mechanisms for cybercriminals, with Discord servers integrated into the attack chains for remotely controlling the infected machines and even to exfiltrate data from the victims.
images from Hacker News