A total of 17 malware-laced packages were recently discovered on the Node Package Manager package Registry, or NPM for short, before being taken down. The purpose of these packages ranged from stealing Discord tokens or other information to installing remote access trojans on the victim machine.
The infection tactics of these packages included typosquatting, dependency confusion, and trojan functionality. Typosquatting is when a user creates malicious packages with similar names as legitimate ones, in order to exploit a user mistyping a package name or not knowing the real name of the legitimate package they are looking for. Dependency confusion, on the other hand, is exploiting organizations who utilize private packages by creating a malicious package with the same name as the private one on the public registry.
While most of the malicious packages discovered were classified as infostealers, one of them was found to be a fully-fledged remote access trojan, or RAT. This RAT was found to be a Node.JS port of DiscordRAT, a popular RAT used by malicious actors that utilizes Discord for its command-and-control traffic. DiscordRAT allows for the malicious actor to capture screenshots, execute arbitrary code, and effectively take over the entire system.
All 17 packages have been removed from the NPM repository. The full list of packages and versions can be found below:
- prerequests-xcode (version 1.0.4)
- discord-selfbot-v14 (version 12.0.3)
- discord-lofy (version 11.5.1)
- discordsystem (version 11.5.1)
- discord-vilao (version 1.0.0)
- fix-error (version 1.0.0)
- wafer-bind (version 1.1.2)
- wafer-autocomplete (version 1.25.0)
- wafer-beacon (version 1.3.3)
- wafer-caas (version 1.14.20)
- wafer-toggle (version 1.15.4)
- wafer-geolocation (version 1.2.10)
- wafer-image (version 1.2.2)
- wafer-form (version 1.30.1)
- wafer-lightbox (version 1.5.4)
- octavius-public (version 1.836.609)
- mrg-message-broker (version 9998.987.376)
Supply chain attacks against software package repositories are quickly becoming a favorite technique of malicious actors, due to the ease of use and potential wide impact of infection. Organizations can help protect themselves from such attacks in a few ways. The dependency confusion attack can be mitigated by validating each development system has a proper private npm proxy configuration set and utilizes scoping for package downloads. These two techniques will help prevent a developer utilizing a private NPM package from accidentally installing it from the public repository. Typosquatting can be more difficult to prevent, as it relies on a common human error to work. Organizations can help prevent this from occurring by tightly managing their use of NPM for software curation and restricting developers from installing non-curated packages. Likewise, many package managers now include tools, such as npm audit, to alert users to potential vulnerable or malicious packages.
Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed