Security researchers have identified a malicious npm package that an attacker designed to steal web browser files and Discord gaming instant messages. This is not the first attempt of its kind, and it looks like the project has been online for quite some time.
Usually, the attackers use common names for the files, to confuse potential users. In the recent campaign, the names followed a similar pattern:
“The discord.dll is an npm component which conducts sinister activities that are hard to spot upfront,” say the researchers from Sonatype. “It also uses the legitimate Discord.js npm dependency to potentially distract researchers from its otherwise nefarious activities.”
The attacker’s goal is to exfiltrate Discord and web browser’s ‘leveldb’ files. Furthermore, the package contains mentions of collecting other types of data, such as the IP address or PC username. The project also includes a Webhook.js file that allows the attacker to send the stolen information to a Discord channel.
Upon further inspection, the researchers found that the same attacker had a similar campaign a while ago, albeit using more complex tools.
The team found the package on November 9 and disclosed the situations on the same day. Researchers defended this position, saying that since the package was already live, with a few hundred downloads, users had to be informed as soon as possible.