A total of 17 malware-laced packages were recently discovered on the Node Package Manager package Registry, or NPM for short, before being taken down. The purpose of these packages ranged from stealing Discord tokens or other information to installing remote access trojans on the victim machine.
The infection tactics of these packages included typosquatting, dependency confusion, and trojan functionality. Typosquatting is when a user creates malicious packages with similar names as legitimate ones, in order to exploit a user mistyping a package name or not knowing the real name of the legitimate package they are looking for. Dependency confusion, on the other hand, is exploiting organizations who utilize private packages by creating a malicious package with the same name as the private one on the public registry.
While most of the malicious packages discovered were classified as infostealers, one of them was found to be a fully-fledged remote access trojan, or RAT. This RAT was found to be a Node.JS port of DiscordRAT, a popular RAT used by malicious actors that utilizes Discord for its command-and-control traffic. DiscordRAT allows for the malicious actor to capture screenshots, execute arbitrary code, and effectively take over the entire system.
All 17 packages have been removed from the NPM repository. The full list of packages and versions can be found below:
- prerequests-xcode (version 1.0.4)
- discord-selfbot-v14 (version 12.0.3)
- discord-lofy (version 11.5.1)
- discordsystem (version 11.5.1)
- discord-vilao (version 1.0.0)
- fix-error (version 1.0.0)
- wafer-bind (version 1.1.2)
- wafer-autocomplete (version 1.25.0)
- wafer-beacon (version 1.3.3)
- wafer-caas (version 1.14.20)
- wafer-toggle (version 1.15.4)
- wafer-geolocation (version 1.2.10)
- wafer-image (version 1.2.2)
- wafer-form (version 1.30.1)
- wafer-lightbox (version 1.5.4)
- octavius-public (version 1.836.609)
- mrg-message-broker (version 9998.987.376)