25 Malicious JavaScript Libraries Distributed Through Official NPM Package Repository

A series of 25 libraries JavaScript Other malicious has reached the registry package NPM official with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down.

DevOps security firm JFrog said that the libraries in question took advantage of the typo and masqueraded as other legitimate packages like color.js, crypto-js, discord.js, mark and noblox.js , DevOps security firm JFrog said, attributing these packages to the work of “software malicious novice author. “

Here is the complete list of packages:

node-Colors-sync (Discord Token Stealer) color-self (Discord Token Stealer) color-self-2 (Discord Token Stealer) wafer-text (Environment Variable Stealer) ) wafer-countdown (Environment variable stealer) wafer-template (Environment variable thief) wafer-darla (Environment variable stealer) lemaaa (Discord token stealer) adv-discord-utilities (Discord Token Stealer) tools-for-disord (Discord Token Stealer) mynewpkg (Environment Variable Stealer) Purple-bitch (Discord Token Thief) Purple-bitchs (Discorder) steal Discord tokens) noblox.js-addons (Discord Token Stealer) kakakaakaaaa11aa (Connectback Shell) markjs (Python Remote Code Injector) crypto-standarts (Python Remote Code Injector) Colors – beta (Discord token stealer) vera.js (Discord token stealer n stealer) discord guard (Discord token stealer)

Discord tokens have emerged as a lucrative means for threat actors to gain unauthorized access to accounts for passwords, allowing operators to exploit access to spread malicious links via Discord channels.

Environment variables, stored as key-value pairs, are used to store information related to the programming environment on the development machine, including API access tokens, authentication keys, API URLs and account name.

The two rogue packages, named markjs and crypto-standarts, stand out as duplicate trojan packages in that they completely copy the original functionality of the well-known libraries marked and crypto-js , but with additional malicious code to inject arbitrary Python code into the remote .

Researchers Andrey Polkovnychenko and Shachar Menashe say another malware package is lemaaa, “a library used by malicious threats to manipulate Discord accounts.” “When used in a certain way, the library will appropriate the secret Discord token issued to it, in addition to performing the requested utility function.”

Specifically, lemaaa is designed to use the provided Discord token to get the victim’s credit card information, take over the account by changing the password and email of the account, even delete all your friends. friends of the victim.

Vera.js, also a Discord token grabber, takes a different approach to its token stealing operations. Instead of retrieving information from local disk storage, it retrieves tokens from the web browser’s local storage.

“This technique could be useful for stealing tokens generated when logging in with a web browser to the Discord website, as opposed to when using the Discord app (which saves tokens to),” the researchers said. local disk memory)”.

If anything, the findings are the latest in a series of revelations that uncover the abuse of NPM to deploy a wide range of payloads ranging from credential stealers to access backdoors. full remoting, making it imperative for developers to check their dependent packages to minimize typos and dependency confusion attacks.

.