Fake Discord npm Package Is a Malware that Steals Browser Data


Security researchers have identified a malicious npm package that an attacker designed to steal web browser files and Discord gaming instant messages. This is not the first attempt of its kind, and it looks like the project has been online for quite some time.

Npm packages are usually JavaScript libraries, and developers regularly use them in various projects. While these libraries are generally loaded directly in browsers, it’s possible to integrate them into apps as well. The widespread use of such libraries makes the npm packages a common target, so attackers constantly try to compromise them.

Usually, the attackers use common names for the files, to confuse potential users. In the recent campaign, the names followed a similar pattern:

discord.dll

discord.app

wsbd.js

ac-addon

“The discord.dll is an npm component which conducts sinister activities that are hard to spot upfront,” say the researchers from Sonatype. “It also uses the legitimate Discord.js npm dependency to potentially distract researchers from its otherwise nefarious activities.”

The attacker’s goal is to exfiltrate Discord and web browser’s ‘leveldb’ files. Furthermore, the package contains mentions of collecting other types of data, such as the IP address or PC username. The project also includes a Webhook.js file that allows the attacker to send the stolen information to a Discord channel.

Upon further inspection, the researchers found that the same attacker had a similar campaign a while ago, albeit using more complex tools.

The team found the package on November 9 and disclosed the situations on the same day. Researchers defended this position, saying that since the package was already live, with a few hundred downloads, users had to be informed as soon as possible.