Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware

Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware campaign leveraging the open-source ecosystem.

The malware called “xpc.js” was spotted on Friday by our Nexus Intelligence research service which includes next generation machine learning algorithms that automatically detect potentially malicious activity associated with open source ecosystems.

This follows on the heels of last week’s news when Sonatype’s Nexus Intelligence engine and it’s release integrity algorithm discovered discord.dll: the successor to “fallguys” malware and 3 other components. Since launching Release Integrity out of beta on Oct. 7 this year, our Nexus Intelligence service has discovered five malicious components. 

It is worth noting xpc.js was published to npm by the same author luminate_ aka Luminate-D who is also behind additional malware discovered last week: discord.dll,, wsbd.js, and ac-addon.

Sonatype’s deep dive research analysis has concluded both “xpc.js” and malicious components identified last week are part of a newly identified family of Discord malware called CursedGrabber.

What is xpc.js and what does it do?

xpc.js is not a JavaScript file but the name of the malicious npm component itself.

The component exists as a tar.gz (tgz) archive with just one version 6.6.6 (likely a pun) and was published to npm registry around November 11, 2020.

xpc.js has scored just under a 100 downloads as Sonatype discovered it almost immediately after the author published it. 

The NodeJS files it includes have a very similar structure to malware reported by Sonatype last week:, wsbd.js and ac-addon

Sonatype security researcher Sebastián Castro who analyzed xpc.js explains:

“The malware targets Windows (Read more…)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: