U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious npm package ‘fallguys’ removed from the official repository

The npm security team removed a malicious JavaScript library from the npm repository that was designed to steal sensitive files from the victims. The npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and […]

npm

The npm security team removed a malicious JavaScript library from the npm repository that was designed to steal sensitive files from the victims.

The npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and Discord application.

The fallguys library claimed to provide an interface to the “Fall Guys: Ultimate Knockout” game API. The package was available the repository for two weeks and was downloaded nearly 300 times.

“fallguys contained malicious code that attempted to read local sensitive files and exfiltrate information through a Discord webhook.” reads the npm’s advisory.

Every project that integrated the malicious library, upon execution will get the malicious code executed.

Experts noticed that the malicious package was designed to steal only specific sensitive information from the infected developers’ systems.

This malicious code would attempt to access the content of the following five local files and then post the data inside a Discord channel:

  • /AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/Opera\x20Software/Opera\x20Stable/Local\x20Storage/leveldb
  • /AppData/Local/Yandex/YandexBrowser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Local/BraveSoftware/Brave-Browser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/discord/Local\x20Storage/leveldb

The first four files are LevelDB databases used common browsers like Chrome, Opera, Yandex Browser, and Brave. The files contain a user’s browsing history data.

The /AppData/Roaming/discord/Local\x20Storage/leveldb file is a sort of LevelDB database for the Discord Windows client that is used to store information on the channels a user has joined.

Experts speculate the malicious package was used to gather information on developers using it, such as the sites they were accessing.

“Remove the package from your system and ensure any compromised credentials are rotated.” concludes the advisory.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, npm)

[adrotate banner=”5″]

[adrotate banner=”13″]