17 malicious packages in the Node.js package manager (npm) code repository were looking to harvest Discord tokens

Cybersecurity specialists report the detection of a set of malicious packages in Node.js package manager repository (npm) designed to collect Discord tokens and eventually take control of the affected accounts. As some users may recall, the npm repository is an open source platform for JavaScript developers to share and reuse blocks of code. Malicious packages can pose a threat to the supply chain as they can be used as building blocks in various web applications.

Security researchers at JFrog Security reported the detection of a set of 17 malicious packages, with different payloads and tactics. These tools were all designed to target Discord, the virtual meeting platform used by nearly 350 million users.

According to the report, the packages’ payloads are varied, ranging from information stealing tools up to full remote access backdoors: “The packages also have multiple tactics to deploy malicious actions”, researchers say. Besides, experts say Discord is the ideal target for these hackers for multiple reasons, including:

  • The platform is also part of the attack. Discord servers are often used as anonymous C&C servers, remote access Trojan (RAT) controllers and even as botnet commanding tools
  • A hacked Discord account can serve in social engineering campaigns and malware deployment automatically
  • Hackers can compromise Discord Nitro accounts to resell them cheaply on an online marketplace. Discord Nitro costs $100 a year, so a stolen account is sold at just a fraction of the price

To lure users into downloading the packages, the malicious projects employ several tricks; for example, two of the 17 packages (discord-lofy and discord-selfbot-v14) hide themselves as modifications of the legitimate library discord.js, which enables interaction with the Discord API.

Malware developers also took the original discord.js library as the base and injected obfuscated malicious code into the file src/client/actions/UserGet.js in a classic Trojan tactic.

Npm code managers have removed any potentially malicious packages; however, some of them could still be active in some projects, so users of Discord developing tools should remain aware about this security risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.