However, after developers downloaded the library and integrated it inside their projects, when the infected dev would run their code, the malicious package would also execute.
Per the npm security team, this code would attempt to access five local files, read their content, and then post the data inside a Discord channel (as a Discord webhook).
The five files the package would attempt to read are:
The first four files are LevelDB databases specific to browsers like Chrome, Opera, Yandex Browser, and Brave. These files usually store information specific to a user's browsing history.
The last file was a similar LevelDB database but for the Discord Windows client, which similarly stores information on the channels a user has joined, and other channel-specific content.
Of note is that the malicious package did not steal other sensitive data from the infected developers' computers, such as session cookies or the browser database that was storing credentials.
The malicious package appears to have been performing some sort of reconnaissance, gathering data on victims, and trying to assess what sites the infected developers were accessing, before delivering more targeted code via an update to the package later down the road.
The npm security team advises that developers remove the malicious package from their projects.
The malicious package was available on the site for two weeks, during which time it was downloaded nearly 300 times.