Malicious npm packages are stealing Discord tokens

JFrog researchers found 17 malicious packages that intentionally seek to attack and steal a user's site credentials.
Written by Jonathan Greig, Contributor

DevOps security firm JFrog discovered 17 new malicious packages in the npm (Node.js package manager) repository that intentionally seek to attack and steal a user's Discord tokens.

Shachar Menashe, senior director of JFrog security research, and Andrey Polkovnychenko explained that hijacking a user's Discord token (the user's credentials) effectively gives the attacker full control over the user's account.

"This type of attack has severe implications if executed well, and, in this case, public hack tools made such an attack easy enough for even a novice hacker to perform," Menashe said. "We recommend organizations take precaution and manage their use of npm for software curation to reduce the risk of introducing malicious code into their applications."

The two explained that the packages' payloads are varied, ranging from infostealers to full remote access backdoors. They added that the packages have different infection tactics, including typosquatting, dependency confusion, and trojan functionality.

The packages have been removed from the npm repository, and the JFrog security research team said they were taken down "before they could rack up a large number of downloads."

JFrog noted that there has been an increase in malware aimed at stealing Discord tokens due to the fact that the platform, a popular video/voice/text chat app, now has more than 350 million registered users. 

Also: The best video chat apps of 2021

"Due to the popularity of this attack payload, there are quite a lot of Discord token grabbers posted with build instructions on GitHub. An attacker can take one of these templates and develop custom malware without extensive programming skills -- meaning any novice hacker can do this with ease in a matter of minutes," the researchers explained

Their report on the situation notes that JFrog has found a "barrage of malicious software hosted and delivered through open-source software repositories," adding that public repositories like PyPI and npm have become a handy instrument for malware distribution.

"The repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools, such as the npm client, provides a ripe attack vector," the researchers said

John Bambenek, principal threat hunter at Netenrich, said cybersecurity experts have seen attempts to insert malicious code or set up malicious libraries into PyPI and npm for some time. 

"Automation is the next logical step for the attackers to increase the number of victims they have control of," Bambenek told ZDNet. "The malicious code usually is not in place for very long, but if you do it at scale, odds are you are collecting victims at a rapid pace."

Editorial standards