
Researchers discovered 17 malicious packages in the NPM (Node.js package manager) repository that were developed to hijack Discord servers. The libraries allow stealing access tokens and environment variables from systems running giving the attackers full access to the victim’s Discord account.
The packages payloads range from info-stealers up to backdoors, experts pointed that the malicious packages use different infection tactics, including typosquatting, dependency confusion, and trojan functionality.
We disclosed these 17 malicious packages to the npm code maintainers, and the packages were promptly removed from the npm repository a good indication these packages are indeed causing issues. Luckily, these packages were removed before they could rack up many downloads, so we managed to avoid a scenario like our last PyPI disclosure, where the malicious packages were downloaded tens of thousands of times before they were detected and removed.
Researchers Statement
These packages were promptly removed from the npm repository before they reached many downloads, avoiding a massive campaign
Below is the list of packages discovered by the experts:
Package | Version | Payload | Infection Method |
prerequests-xcode | 1.0.4 | Remote Access Trojan | Unknown |
discord-selfbot-v14 | 12.0.3 | Discord token grabber | Typosquatting/Trojan (discord.js) |
discord-lofy | 11.5.1 | Discord token grabber | Typosquatting/Trojan (discord.js) |
discordsystem | 11.5.1 | Discord token grabber | Typosquatting/Trojan (discord.js) |
discord-vilao | 1.0.0 | Discord token grabber | Typosquatting/Trojan (discord.js) |
fix-error | 1.0.0 | PirateStealer malware | Trojan |
wafer-bind | 1.1.2 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-autocomplete | 1.25.0 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-beacon | 1.3.3 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-caas | 1.14.20 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-toggle | 1.15.4 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-geolocation | 1.2.10 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-image | 1.2.2 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-form | 1.30.1 | Environment variable stealer | Typosquatting (wafer-*) |
wafer-lightbox | 1.5.4 | Environment variable stealer | Typosquatting (wafer-*) |
octavius-public | 1.836.609 | Environment variable stealer | Typosquatting (octavius) |
mrg-message-broker | 9998.987.376 | Environment variable stealer | Dependency confusion |
The threat actors behind these packages focus on Discord accounts for multiple reasons such as:
- using the Discord servers as part of the command & control (C2) infrastructure behind malware campaign.
- using the Discord servers as an anonymous exfiltration channel.
- spreading malware to Discord users.
- selling stolen Discord Nitro premium accounts.
Researchers highlighted the availability of a lot of Discord token grabbers on GitHub, along with build instructions, due to the popularity of the platform as an attack vector. This means that an attacker can easily develop its custom malware without extensive programming skills in a few minutes.
Public repositories have become a handy instrument for malware distribution: the repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the NPM client, provides a ripe attack vector.