Malicious npm packages tapped to steal Discord users’ information

Malicious campaign to infect Discord users with malware in motion

Modified Volt Stealer and Lofy Stealer variant targets Discord users

Cybercriminals are using the npm (node package manager) to hide malware that can steal Discord tokens to spy on user sessions and steal data. A discord token is a unique series of numbers and letters that is created when users log in. It is like an authorization code that gets passed from the client to the server to verify that users are the account holders.

The malware used in the attacks is a variant of the open-source and Python-based token logger Volt Stealer and JavaScript malware known as Lofy Stealer. Researchers Igor Kuznetsov and Leonid Bezvershenko from Kaspersky^[1] wrote:

It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details,

The collected data is then uploaded to the remote endpoint which is hard-coded. The malware can monitor Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles,^[2] or the addition of new payment methods to steal Discord accounts and payment information. It can also read system information, including the victims' IP addresses. This can cause serious privacy issues, and even monetary losses.

NPM packages are abused by cybercriminals for malicious purposes

In recent years, NPM has become a constant target for malicious actors. There has been an influx of malicious packages, the most harmful of which are related to data theft, crypto mining, botnets, and code execution from a distance. According to WhiteSource, 1,300 malicious packages on NPM in the second half of 2021 were found.^[3]

NPM is an open system where anyone can submit modules for other developers to use. Due to the open system, it is becoming frequent for malicious actors to upload malicious modules that steal data, download and execute programs, or perform malicious behavior when used in other projects.

Some attackers manage to find an internal dependency package name. Then they create a public package with the same name with a higher version number. The malicious public package is then preferred by the package manager and installed automatically on each update call. End users should monitor packages that download remote components during installation, and track all used Operations Support System (OSS) components.^[4]

Discord users targeted by multiple threat actors

• Back in 2019, malware named Spidey Bot installed files presented as Discord-related data on users' machines. It would kill the program and change specific modules and core files. Cybercriminals were using the messaging application itself to spread the malware.
• In 2020, a malicious NPM package called “fallguys” was used to steal Discord user tokens and browser information from Google Chrome, Brave Browser, Opera, and Yandex Browser.
• A successor to npm “fallguys” malware “Discord.dll went undetected for 5 months because it looked like a legitimate package with a genuine use case. The package was attempting to exfiltrate Discord and web browser’s “leveldb” files.
• In 2021, another malware from Discord would install MBRLocker data wiping malware otherwise known as Monster Ransomware. The malicious NPM packages were pretending to be Roblox libraries and delivered ransomware and password-stealing trojans.