“Discord.dll” Is the New NPM Malware to Replace “Fallguys”

  • A new malware discovered on the NPM space was there for five months already, amassing one hundred downloads.
  • The package is heavily obfuscated, and its goal is to steal Discord and web browser data in the form of leveldb files.
  • The repository and its author have been reported now, but it may take a while before the code is ousted.

Researchers from the Sonatype Security team have identified a new malware on the NPM (Node Package Manager) space. It looks like it is the continuation of the “fallguys” package that was discovered and removed back in September 2020, in the sense that the new malware is also attempting to steal user data stored in web browsers like Chrome, Brave, Opera, and Yandex.

It does so through obfuscated JavaScript code that exfiltrates Discord and browser leveldb files.

Source: Sonatype

The Sonatype team discovered the following four malicious packages on NPM, with the first one being the malware, and the other three being fetchers/droppers.

  • discord.dll
  • discord.app
  • wsbd.js
  • ac-addon

The malware package (discord.dll) has had 100 downloads since its publication five months ago. The other three packages had between 38 and 88 downloads, with the “app” one having been published together with the “DLL” file, the “addon” two weeks ago, and the “JS” just yesterday.

Sonatype has detected that last packet thanks to the deployment of automated malware detection bots. Only then, it dug deeper into the author’s NPM repository and figured out what the other three packets really are.

Remember, NPM is a special package management tool used by JavaScript developers looking to get easy access to a large set of JS modules, retrieve code, store their work, share it with others, and perform dependency management. The biggest problem with NPM is security. The repositories aren’t actively monitored, and whatever malicious package finds its way on the platform may only be removed after third-party discovery and reporting.

Source: Sonatype

As Sonatype researchers warn, the multiple levels of obfuscation hide discord.dll well from AV solutions, so if you have installed the package, you may not get any indication about its malicious nature. All the files and dependencies that constitute the discord.dll component are heavily obfuscated with base64-encoded strings, and one of them even links to an “Anonymous” logo.

REVIEW OVERVIEW

Latest

How to Watch Chicago Blackhawks Games Online Without Cable

The Chicago Blackhawks are one of the most widely known teams in the NHL, with a lot of history and a fanbase...

How to Watch Pam & Tommy Online from Anywhere: Release Date, Cast, Plot, & Trailer

This biographical drama series surrounds the infamous controversial '90s tape of Motley Crue drummer Tommy Lee and then-wife actress Pamela Anderson that...

Attack On Titan Becomes Most “In-Demand” Series of 2021

Attack on Titan has indeed come a long way since the manga, by Hajime Isayama, first released in 2009. Of course, the...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari