Tens of malicious NPM packages caught hijacking Discord servers

Pierluigi Paganini December 09, 2021

Researches from cybersecurity firm JFrog found 17 malicious packages on the NPM package repository hijacking Discord servers.

JFrog researchers have discovered 17 malicious packages in the NPM (Node.js package manager) repository that were developed to hijack Discord servers.

The libraries allow stealing Discord access tokens and environment variables from systems running giving the attackers full access to the victim’s Discord account.

The packages’ payloads range from info-stealers up to backdoors, experts pointed that the malicious packages uses different infection tactics, including typosquatting, dependency confusion, and trojan functionality. 

“We disclosed these 17 malicious packages to the npm code maintainers, and the packages were promptly removed from the npm repository — a good indication these packages are indeed causing issues.” reads the report published by the experts. “Luckily, these packages were removed before they could rack up a large number of downloads (based on npm records) so we managed to avoid a scenario similar to our last PyPI disclosure, where the malicious packages were downloaded tens of thousands of times before they were detected and removed.”

The good news is that the packages were promptly removed from the npm repository before they reached a large number of downloads.

Below is the list of packages discovered by the experts:

PackageVersion PayloadInfection Method
prerequests-xcode1.0.4Remote Access Trojan (RAT)Unknown
discord-selfbot-v1412.0.3Discord token grabberTyposquatting/Trojan (discord.js)
discord-lofy11.5.1Discord token grabberTyposquatting/Trojan (discord.js)
discordsystem11.5.1Discord token grabberTyposquatting/Trojan (discord.js)
discord-vilao1.0.0Discord token grabberTyposquatting/Trojan (discord.js)
fix-error1.0.0PirateStealer (Discord malware)Trojan
wafer-bind1.1.2Environment variable stealerTyposquatting (wafer-*)
wafer-autocomplete1.25.0Environment variable stealerTyposquatting (wafer-*)
wafer-beacon1.3.3Environment variable stealerTyposquatting (wafer-*)
wafer-caas1.14.20Environment variable stealerTyposquatting (wafer-*)
wafer-toggle1.15.4Environment variable stealerTyposquatting (wafer-*)
wafer-geolocation1.2.10Environment variable stealerTyposquatting (wafer-*)
wafer-image1.2.2Environment variable stealerTyposquatting (wafer-*)
wafer-form1.30.1Environment variable stealerTyposquatting (wafer-*)
wafer-lightbox1.5.4Environment variable stealerTyposquatting (wafer-*)
octavius-public1.836.609Environment variable stealerTyposquatting (octavius)
mrg-message-broker9998.987.376Environment variable stealerDependency confusion

The threat actors behind these packages focus on Discord accounts for multiple reasons such as:

  • using the Discord servers as part of the command & control (C2) infrastructure behind malware campaign;
  • using the Discord servers as an anonymous exfiltration channel;
  • spreading malware to Discord users;
  • selling stolen Discord Nitro premium accounts;

Researchers highlighted the availability of a lot of Discord token grabbers on GitHub, along with build instructions, due to the popularity of the platform as an attack vector. This means that an attacker can easily develop its custom malware without extensive programming skills in a few minutes.

“It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.” concludes the report.

“Public repositories have become a handy instrument for malware distribution: the repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the NPM client, provides a ripe attack vector.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Discord servers)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment