The libraries in question took advantage of typosquatting techniques and impersonated other legitimate packages such as colors.js, crypto-js, discord.js, marked and noblox.js, said DevOps security firm JFrog , attributing the packages to the work of “novice malware”. authors.”
The full list of packages is below –
- node-colors-sync (Discord token thief)
- color-self (Discord token thief)
- color-self-2 (Discord token thief)
- wafer-text (Environment variable thief)
- wafer-countdown (Environment variable thief)
- wafer-template (environment variable thief)
- wafer-darla (environment variable thief)
- lemaaa (Discord token thief)
- adv-discord-utility (Discord token thief)
- tools-for-discord (Discord Token Stealer)
- mynewpkg (Environment Variable Stealer)
- purple-bitch (Discord token thief)
- purple-bitches (Discord token thief)
- noblox.js-addons (Discord token thief)
- kakakaakaaa11aa (Connectback shell)
- markjs (Python remote code injector)
- crypto-standards (Python remote code injector)
- discord-selfbot-tools (Discord token thief)
- discord.js-aployscript-v11 (Discord Token Stealer)
- discord.js-selfbot-aployscript (Discord token thief)
- discord.js-selfbot-aployed (Discord Token Stealer)
- discord.js-discord-selfbot-v4 (Discord Token Thief)
- colors-beta (Discord token thief)
- vera.js (Discord token thief)
- discord-protection (discord token thief)
Discord tokens have become a lucrative way for threat actors to gain unauthorized access to accounts without passwords, allowing operators to exploit access to spread malicious links through Discord channels.
Environment variables, stored as key-value pairs, are used to store information about the programming environment on the development machine, including API access tokens, authentication keys , API URLs, and account names.
Two rogue packages, named markjs and crypto-standards, stand out as duplicate trojan packages in that they completely replicate the original functionality of the well-known well-known markjs and crypto-js libraries, but include code additional malware to remotely inject arbitrary Python code. .
Another malicious package is lemaaa, “a library intended for use by malicious actors to manipulate Discord accounts,” said researchers Andrey Polkovnychenko and Shachar Menashe. “When used in a certain way, the library will hijack the secret Discord token given to it, in addition to performing the requested utility function.”
Specifically, lemaaa is designed to use the provided Discord token to siphon off the victim’s credit card information, take control of the account by changing the account password and email, and even remove all friends. of the victim.
Vera.js, also a Discord token collector, takes a different approach to carrying out its token theft activities. Instead of retrieving information from local disk storage, it retrieves tokens from local storage of a web browser.
“This technique can be useful for stealing tokens that were generated while logging in using the web browser on the Discord website, as opposed to using the Discord app (which saves the token to storage on local disk),” the researchers said.
Rather, the findings are the latest in a series of disclosures exposing the abuse of NPM to deploy a range of payloads from information stealers to full remote access backdoors, making it imperative that developers inspect their package dependencies to mitigate typos and dependency. confusion attacks.