Malicious npm package caught trying to steal sensitive files

mood · Aug 28, 2020

Malicious npm package caught trying to steal sensitive Discord and browser files
Malicious code was hidden inside a JavaScript library
August 28, 2020
https://www.zdnet.com/article/malic...to-steal-sensitive-discord-and-browser-files/

The npm security team has removed a malicious JavaScript library from the npm portal that was designed to steal sensitive files from an infected users' browser and Discord application.

The malicious package was a JavaScript library named "fallguys" that claimed to provide an interface to the "Fall Guys: Ultimate Knockout" game API.
However, after developers downloaded the library and integrated it inside their projects, when the infected dev would run their code, the malicious package would also execute.

Per the npm security team, this code would attempt to access five local files, read their content, and then post the data inside a Discord channel (as a Discord webhook).
Click to expand...

Of note is that the malicious package did not steal other sensitive data from the infected developers' computers, such as session cookies or the browser database that was storing credentials.
The malicious package was available on the site for two weeks, during which time it was downloaded nearly 300 times.
Click to expand...

mood · Oct 5, 2020

Four npm packages found uploading user details on a GitHub page
Collected information included IP address, country, city, computer username, home directory path, and CPU model
October 5, 2020
https://www.zdnet.com/article/four-npm-packages-found-uploading-user-details-on-a-github-page/

Four JavaScript npm packages contained malicious code that collected user details and uploaded the information to a public GitHub page.
The four packages where this malicious code was identified included:

electorn: 255 downloads

lodashs: 78 downloads

loadyaml: 48 downloads

loadyml: 37 downloads

Click to expand...

All four packages were developed by the same user (simplelive12) and uploaded on the npm portal in August. Two packages (lodashs, loadyml) were removed by the author shortly after publication, but not before they infected some users.
The remainder packages, electorn and loadyaml, were removed last week, on October 1, by the npm security team following a report from Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.

Sharma said the data wouldn't stay on GitHub for long and would be purged every 24 hours — most likely after being scraped and indexed inside another database.
Click to expand...

mood · Oct 17, 2020

NPM nukes NodeJS malware opening Windows, Linux reverse shells
October 16, 2020
https://www.bleepingcomputer.com/ne...malware-opening-windows-linux-reverse-shells/

NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data.

These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday.
Establishes a reverse shell to the attacker's server
The first three packages plutov-slack-client, nodetest1010, and nodetest199 share identical code.
After the packages are installed, the code establishes a reverse shell to the attacker's server, allowing the attacker to obtain remote access to the compromised machine.
Click to expand...

Uploads user data to a remote server
The last package on the list, npmpubman has a very different code structure and purpose.
It collects user data from the environment variables and uploads this information to a remote host.

It is possible that all four packages were authored by the same attacker(s) despite conflicting data provided in the package.json manifests.
Click to expand...

Cases of malware infiltrating the open-source ecosystem have been on the rise. Merely last month, I had blogged about npm malware that went undetected and had been publishing user's information on public GitHub pages in real-time.
Click to expand...

mood · Nov 9, 2020

mood said: ↑

Malicious npm package caught trying to steal sensitive Discord and browser files August 28, 2020
Click to expand...

Malicious NPM project steals Discord accounts, browser info
November 9, 2020
https://www.bleepingcomputer.com/ne...project-steals-discord-accounts-browser-info/

A heavily obfuscated and malicious NPM project is used to steal Discord user tokens and browser information from unsuspecting users.

NPM is an open system where anyone can submit modules for other developers to use.
Due to this open system, it is becoming common for malicious actors to upload malicious modules that steal data, download and execute programs, or perform malicious behavior when used in other projects.
Click to expand...

Malicious NPM steal browser data, Discord tokens
On August 25th, 2020, NPM removed a malicious package called "fallguys" designed to steal Discord tokens and browser information from Google Chrome, Brave Browser, Opera, and Yandex Browser.
Today, open-source security firm Sonatype discovered another malicious module that steals browser information and Discord tokens called 'discord.dll' that is believed to be a successor to the fallguys module.

Sonatype researcher Ax Sharma told BleepingComputer that it is common for malicious NPM projects to utilize names similar to legitimate projects to trick developers into using them.

"Typosquatting and brandjacking packages capitalize on an existing brand's value and take advantage of an innocent mistake made by a user," Sharma explained.
Click to expand...

The discord.dll project has been available on NPM for five months and has been downloaded one hundred times.
Click to expand...

Sonatype: Discord.dll: successor to npm “fallguys” malware went undetected for 5 months

This week, the Sonatype Security Research team has identified a series of counterfeit components in the npm ecosystem. These intentionally malicious packages seem to be doing similar, shady things to the malicious “fallguys” npm package discovered in September (those were stealing web browser files and Discord gaming IMs).
Click to expand...

mood · Jan 23, 2021

Discord-Stealing Malware Invades npm Packages
The CursedGrabber malware has infiltrated the open-source software code repository
January 22, 2021
https://threatpost.com/discord-stealing-malware-npm-packages/163265/

Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.

As of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by “scp173-deleted”) were still available for download. They make use of brandjacking and typosquatting to lure developers into thinking they’re legitimate. There is also “clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users,” according to researchers at Sonatype.

The authors are the same operators behind the CursedGrabber Discord malware, the researchers said, and the packages share DNA with that threat.
Click to expand...

The CursedGrabber Discord malware family, discovered in November, targets Windows hosts.

In the case of the three npm packages, these “contain variations of Discord token-stealing code from the Discord malware discovered by Sonatype on numerous occasions,” said Sonatype security researcher Ax Sharma, in a Friday blog posting.
Click to expand...

Sonatype: CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains

On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we previously warned about.
Click to expand...

mood · Jul 21, 2021

NPM package steals Chrome passwords on Windows via recovery tool
July 21, 2021
https://www.bleepingcomputer.com/ne...hrome-passwords-on-windows-via-recovery-tool/

New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems.

Additionally, this malware listens for incoming connections from the attacker's C2 server and provides advanced capabilities, such as screen and camera access, directory listing, file lookup, file upload, and shell command execution.
As seen by BleepingComputer, the identified packages have been sitting on the npm registry since 2018 and scored over 2,000 total downloads at the time of writing.
Click to expand...

Uses ChromePass utility to 'recover' Chrome passwords
Today, researchers at ReversingLabs have disclosed their findings on two malicious npm packages that secretly steal passwords from your Chrome web browser.
These packages are called:

nodejs_net_server - over 1,300 total downloads

temptesttempfile - over 800 total downloads

Click to expand...

Oops! Malware author exposes their own passwords
In an unexpected twist, some versions of nodejs_net_server contain text files with usernames and plaintext passwords of the malware author, extracted from Chrome.

"These login credentials were stored in the 'a.txt' file located in the same folder as the password recovery tool named 'a.exe,'" said ReversingLabs reverse engineer Karlo Zanki in a blog post.

ReversingLabs believes, understanding what's inside your software, or having a Software Bill of Materials (SBOM) is a critical step in defending against these supply chain attacks.

"Package repositories offer conveniences for rapid application development, but also come with risks."
Click to expand...

ReversingLabs: Groundhog day: NPM package caught stealing browser passwords

Conclusion
Software supply chain attacks are becoming a powerful strategy for malicious actors. Security community needs to pay more attention to these types of threats. Everyone involved in the software development process needs to understand that malicious actors today are trying to compromise the development process across all of its stages. Developers are being targeted as a critical entry point to their organization and its client base.
Click to expand...

mood · Nov 4, 2021

Popular 'coa' NPM library hijacked to steal user passwords
November 4, 2021
https://www.bleepingcomputer.com/ne...npm-library-hijacked-to-steal-user-passwords/

Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world.

The 'coa' library, short for Command-Option-Argument, receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub.
Click to expand...

Malicious code injected into 'coa' releases
Today, developers around the world were left surprised to notice new releases for npm library 'coa'—a project that hasn't been touched for years, unexpectedly appear on npm.
'coa' is a command-line options parser for Node.js projects. The last stable version 2.0.2 for the project was released in December 2018.

"I'm not sure why or what happened but 10 minutes ago there was a release (even though the last change on GitHub was in 2018). Whatever this release did, it broke the internet," said Roberto Wesley Overdijk, a React developer.
Click to expand...

Malware identical to hacked 'ua-parser-js' and fake Noblox packages
This incident follows last month's hack of another popular npm library "ua-parser-js" that is used by Facebook, Microsoft, Amazon, Reddit, and other big tech firms.

The malware contained in hacked 'coa' versions, as analyzed by BleepingComputer, is virtually identical to the code found in the hijacked ua-parser-js versions, potentially establishing a link between the threat actors behind both incidents.
Based on our analysis and information seen thus far, the malware is likely the Danabot password-stealing Trojan for Windows.
Click to expand...

"NPM has removed the compromised versions and, if I understand correctly, blocked new versions from being published temporarily while recovering access to the package," explains Overdijk.

"No fix should be needed as the affected versions have been removed. But I'm leaving what I wrote initially just in case something does go wrong again. For now I'd advise you to pin the version as described below until this has been resolved conclusively."
Click to expand...

mood · Jul 28, 2022

Malicious npm packages steal Discord users’ payment card info
July 28, 2022

Multiple npm packages are being used in an ongoing malicious campaign dubbed LofyLife to infect Discord users with malware that steals their payment card information.

The malware used in these attacks is a variant of the open-source and Python-based Volt Stealer token logger, according to Kaspersky security researchers Igor Kuznetsov and Leonid Bezvershenko.

"On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager (npm) repository," the researchers said.
"All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign 'LofyLife'."
Once installed, it collects Discord tokens and system information, including the victims' IP addresses.
Click to expand...

ESET: LofyLife: malicious npm packages steal Discord tokens and bank card data

The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.

The JavaScript malware we dubbed “Lofy Stealer” was created to infect Discord client files in order to monitor the victim’s actions. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded.
Click to expand...

mood · Jan 19, 2023

Hundreds of Malicious Packages Found in npm Registry
Phil Muncaster UK / EMEA News Reporter, Infosecurity Magazine - January 19, 2023

Security researchers discovered over 400 malicious packages in the popular open source registry npm in December, and dozens more in PyPI.
Click to expand...

Sonatype explained in a blog post that its AI tooling spotted 422 malicious npm packages focused mainly on data exfiltration via typosquatting or “dependency confusion attacks.” Additionally, it found 58 malicious packages in PyPI, including heavily obfuscated Discord token stealers.
That brings the total number of open source packages flagged by the vendor as malicious to nearly 104,000 since 2019.

These open source components have become near-ubiquitous in development projects as they offer a useful way to accelerate time to market.
However, cyber-criminals are increasingly inserting malware into packages in the hope they are unwittingly downloaded by developers.
Click to expand...

Among the malicious packages that caught Sonatype’s attention from December were several focused on macOS developer environments, including an infected version of crypto library Cobo Custody Restful.

“The attackers leveraged the fact that this package doesn’t have an official distribution through the PyPI registry,” Sonatype explained.
“By uploading a compromised version with the same name on PyPI, attackers expect that the package manager (pip) used by developers will prioritize the malicious version over the legit GitHub version.”
Click to expand...

“With names such as easytimestamp, pyrologin, discorder, discord-dev, style.py and pythonstyles, the malicious packages launch a PowerShell script that fetches a ZIP file and in a RAT fashion, installs the libraries pynput, pydirectinput, and pyscreenshot that allow the attacker to control the target’s mouse and keyboard, and take screenshots,” Sonatype explained.
Click to expand...

Log in or Sign up

Malicious npm package caught trying to steal sensitive files

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

Malicious npm package caught trying to steal sensitive files

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches