U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Tens of malicious NPM packages caught hijacking Discord servers

Researches from cybersecurity firm JFrog found 17 malicious packages on the NPM package repository hijacking Discord servers. JFrog researchers have discovered 17 malicious packages in the NPM (Node.js package manager) repository that were developed to hijack Discord servers. The libraries allow stealing Discord access tokens and environment variables from systems running giving the attackers full access to […]

Discord

Researches from cybersecurity firm JFrog found 17 malicious packages on the NPM package repository hijacking Discord servers.

JFrog researchers have discovered 17 malicious packages in the NPM (Node.js package manager) repository that were developed to hijack Discord servers.

The libraries allow stealing Discord access tokens and environment variables from systems running giving the attackers full access to the victim’s Discord account.

The packages’ payloads range from info-stealers up to backdoors, experts pointed that the malicious packages uses different infection tactics, including typosquatting, dependency confusion, and trojan functionality. 

“We disclosed these 17 malicious packages to the npm code maintainers, and the packages were promptly removed from the npm repository — a good indication these packages are indeed causing issues.” reads the report published by the experts. “Luckily, these packages were removed before they could rack up a large number of downloads (based on npm records) so we managed to avoid a scenario similar to our last PyPI disclosure, where the malicious packages were downloaded tens of thousands of times before they were detected and removed.”

The good news is that the packages were promptly removed from the npm repository before they reached a large number of downloads.

Below is the list of packages discovered by the experts:

PackageVersion PayloadInfection Method
prerequests-xcode1.0.4Remote Access Trojan (RAT)Unknown
discord-selfbot-v1412.0.3Discord token grabberTyposquatting/Trojan (discord.js)
discord-lofy11.5.1Discord token grabberTyposquatting/Trojan (discord.js)
discordsystem11.5.1Discord token grabberTyposquatting/Trojan (discord.js)
discord-vilao1.0.0Discord token grabberTyposquatting/Trojan (discord.js)
fix-error1.0.0PirateStealer (Discord malware)Trojan
wafer-bind1.1.2Environment variable stealerTyposquatting (wafer-*)
wafer-autocomplete1.25.0Environment variable stealerTyposquatting (wafer-*)
wafer-beacon1.3.3Environment variable stealerTyposquatting (wafer-*)
wafer-caas1.14.20Environment variable stealerTyposquatting (wafer-*)
wafer-toggle1.15.4Environment variable stealerTyposquatting (wafer-*)
wafer-geolocation1.2.10Environment variable stealerTyposquatting (wafer-*)
wafer-image1.2.2Environment variable stealerTyposquatting (wafer-*)
wafer-form1.30.1Environment variable stealerTyposquatting (wafer-*)
wafer-lightbox1.5.4Environment variable stealerTyposquatting (wafer-*)
octavius-public1.836.609Environment variable stealerTyposquatting (octavius)
mrg-message-broker9998.987.376Environment variable stealerDependency confusion

The threat actors behind these packages focus on Discord accounts for multiple reasons such as:

  • using the Discord servers as part of the command & control (C2) infrastructure behind malware campaign;
  • using the Discord servers as an anonymous exfiltration channel;
  • spreading malware to Discord users;
  • selling stolen Discord Nitro premium accounts;

Researchers highlighted the availability of a lot of Discord token grabbers on GitHub, along with build instructions, due to the popularity of the platform as an attack vector. This means that an attacker can easily develop its custom malware without extensive programming skills in a few minutes.

“It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.” concludes the report.

“Public repositories have become a handy instrument for malware distribution: the repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the NPM client, provides a ripe attack vector.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Discord servers)

[adrotate banner=”5″]

[adrotate banner=”13″]