- A new malware discovered on the NPM space was there for five months already, amassing one hundred downloads.
- The package is heavily obfuscated, and its goal is to steal Discord and web browser data in the form of leveldb files.
- The repository and its author have been reported now, but it may take a while before the code is ousted.
Researchers from the Sonatype Security team have identified a new malware on the NPM (Node Package Manager) space. It looks like it is the continuation of the “fallguys” package that was discovered and removed back in September 2020, in the sense that the new malware is also attempting to steal user data stored in web browsers like Chrome, Brave, Opera, and Yandex.
The Sonatype team discovered the following four malicious packages on NPM, with the first one being the malware, and the other three being fetchers/droppers.
The malware package (discord.dll) has had 100 downloads since its publication five months ago. The other three packages had between 38 and 88 downloads, with the “app” one having been published together with the “DLL” file, the “addon” two weeks ago, and the “JS” just yesterday.
Sonatype has detected that last packet thanks to the deployment of automated malware detection bots. Only then, it dug deeper into the author’s NPM repository and figured out what the other three packets really are.
As Sonatype researchers warn, the multiple levels of obfuscation hide discord.dll well from AV solutions, so if you have installed the package, you may not get any indication about its malicious nature. All the files and dependencies that constitute the discord.dll component are heavily obfuscated with base64-encoded strings, and one of them even links to an “Anonymous” logo.