Malicious npm package caught trying to steal sensitive Discord and browser files

Malicious code was hidden inside a JavaScript library for working with the "Fall Guys: Ultimate Knockout" game API.
Written by Catalin Cimpanu, Contributor

The npm security team has removed a malicious JavaScript library from the npm portal that was designed to steal sensitive files from an infected users' browser and Discord application.

The malicious package was a JavaScript library named "fallguys" that claimed to provide an interface to the "Fall Guys: Ultimate Knockout" game API.

However, after developers downloaded the library and integrated it inside their projects, when the infected dev would run their code, the malicious package would also execute.

Per the npm security team, this code would attempt to access five local files, read their content, and then post the data inside a Discord channel (as a Discord webhook).

The five files the package would attempt to read are:

  • /AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/Opera\x20Software/Opera\x20Stable/Local\x20Storage/leveldb
  • /AppData/Local/Yandex/YandexBrowser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Local/BraveSoftware/Brave-Browser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/discord/Local\x20Storage/leveldb

The first four files are LevelDB databases specific to browsers like Chrome, Opera, Yandex Browser, and Brave. These files usually store information specific to a user's browsing history.

The last file was a similar LevelDB database but for the Discord Windows client, which similarly stores information on the channels a user has joined, and other channel-specific content.

Of note is that the malicious package did not steal other sensitive data from the infected developers' computers, such as session cookies or the browser database that was storing credentials.

The malicious package appears to have been performing some sort of reconnaissance, gathering data on victims, and trying to assess what sites the infected developers were accessing, before delivering more targeted code via an update to the package later down the road.

The npm security team advises that developers remove the malicious package from their projects.

The malicious package was available on the site for two weeks, during which time it was downloaded nearly 300 times.

What's in a name? These DevOps tools come with strange backstories

Editorial standards