The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.js, crypto-js, discord.js, marked, and noblox.js, DevOps security firm JFrog said, attributing the packages as the work of “novice malware authors.”
The complete list of packages is below –
node-colors-sync (Discord token stealer)
color-self (Discord token stealer)
color-self-2 (Discord token stealer)
wafer-text (Environment variable stealer)
wafer-countdown (Environment variable stealer)
wafer-template (Environment variable stealer)
wafer-darla (Environment variable stealer)
lemaaa (Discord token stealer)
adv-discord-utility (Discord token stealer)
tools-for-discord (Discord token stealer)
mynewpkg (Environment variable stealer)
purple-bitch (Discord token stealer)
purple-bitchs (Discord token stealer)
noblox.js-addons (Discord token stealer)
kakakaakaaa11aa (Connectback shell)
markedjs (Python remote code injector)
crypto-standarts (Python remote code injector)
discord-selfbot-tools (Discord token stealer)
discord.js-aployscript-v11 (Discord token stealer)
discord.js-selfbot-aployscript (Discord token stealer)
discord.js-selfbot-aployed (Discord token stealer)
discord.js-discord-selfbot-v4 (Discord token stealer)
colors-beta (Discord token stealer)
vera.js (Discord token stealer)
discord-protection (Discord token stealer)
Discord tokens have emerged as lucrative means for threat actors to gain unauthorized access to accounts sans a password, enabling the operators to exploit the access to propagate malicious links via Discord channels.
Environment variables, stored as key-value pairs, are used to save information pertaining to the programming environment on the development machine, including API access tokens, authentication keys, API URLs, and account names.
Two rogue packages, named markedjs and crypto-standarts, stand out for their role as duplicate trojan packages in that they completely replicate the original functionality of well-known libraries marked and crypto-js, but feature additional malicious code to remotely inject arbitrary Python code.
Another malicious package is lemaaa, “a library which is meant to be used by malicious threat actors to manipulate Discord accounts,” researchers Andrey Polkovnychenko and Shachar Menashe said. “When used in a certain way, the library will hijack the secret Discord token given to it, in addition to performing the requested utility function.”
Specifically, lemaaa is engineered to use the supplied Discord token to siphon victim’s credit card information, take over the account by changing the account password and email, and even remove all of the victim’s friends.
Vera.js, also a Discord token grabber, takes a different approach to carry out its token theft activities. Instead of retrieving the information from local disk storage, it retrieves the tokens from a web browser’s local storage.
“This technique can be helpful to steal tokens that were generated when logging using the web browser to the Discord website, as opposed to when using the Discord app (which saves the token to the local disk storage),” the researchers said.
If anything, the findings are the latest in a series of disclosures uncovering the abuse of NPM to deploy an array of payloads ranging from info-stealers up to full remote access backdoors, making it imperative that developers inspect their package dependencies to mitigate typosquatting and dependency confusion attacks.