25 new malicious packages found in the NPM repository


25 new malicious JavaScript libraries have been discovered in the official NPM repository, stealing Discord tokens and environment variables.

Libraries use so-called typesquatting – that is, their names are very similar to the names of legitimate libraries with a slight difference. In particular, they disguise themselves as colors.js, crypto-js, discord.js, marked and noblox.js, reports the company JFrog.

List of malicious libraries:

  • node-colors-sync (steals Discord tokens);

  • color-self (steals Discord tokens);

  • color-self-2 (steals Discord tokens);

  • wafer-text (steals environment variables);

  • wafer-countdown (steals environment variables);

  • wafer-template (steals environment variables);

  • wafer-darla (steals environment variables);

  • lemaaa (steals Discord tokens);

  • adv-discord-utility (steals Discord tokens);

  • tools-for-discord (steals Discord tokens);

  • mynewpkg (steals environment variables);

  • purple-bitch (steals Discord tokens);

  • purple-bitchs (steals Discord tokens);

  • noblox.js-addons (steals Discord tokens);

  • kakakaakaaa11aa (reverse shell);

  • markedjs (a tool for remote Python code injection);

  • crypto-standarts (a tool for remote Python code injection);

  • discord-selfbot-tools (steals Discord tokens);

  • discord.js-aplyscript-v11 (steals Discord tokens);

  • discord.js-selfbot-aplyscript (steals Discord tokens);

  • discord.js-selfbot-deployed (steals Discord tokens);

  • discord.js-discord-selfbot-v4 (steals Discord tokens);

  • colors-beta (steals Discord tokens);

  • vera.js (steals Discord tokens);

  • discord-protection (steals Discord tokens).

Attackers use stolen Discord tokens to gain unauthorized access to accounts without having to use a password. Through accounts hacked in this way, they spread malicious links.

Environment variables, such as key pair values, are used to store information related to the programming environment on the developer’s computer, including API access tokens, authorization keys, API URLs, and account names.

Two malicious packages, markedjs and crypto-standarts, differ from the others in that their functionality fully corresponds to the legitimate versions of the marked and crypto-js libraries, but they can also introduce additional malicious Python code.

Start a discussion …
Source link