25 Malicious JavaScript Libraries Distributed via NPM Package Repository

Lavanya Rao K

February 24, 2022

DevOps security firm JFrog informed that it found and helped remove 25 malicious JavaScript libraries from the official npm package repository. This is the second time in three months that JFrog found malicious npm packages designed to steal Discord tokens and environment variables after reporting 17 similar packages in December 2021. All 25 libraries had the names of more popular libraries and contained different types of malicious code, which suggests they were created by different threat actors, each targeting different goals. The libraries in issue leveraged typo squatting strategies and masqueraded as other legit deals such as shades.js, crypto-js, discord.js, marked, and noblox.js. 17 of the 25 libraries were designed to steal Discord access tokens from the computers where the malicious code was executed. Discord tokens are valuable resources that allow attackers to access accounts without providing a password. Spammers often acquire these tokens and use them to gain access to user accounts and then flood Discord channels and their respective users with ads and even malicious links. Five other packages contained code that stole environment variables from the details of the infected projects from a developer’s local programming environment. These variables typically store OS information, but in some cases, they can also contain API keys and login credentials for cloud services, information that many attackers like to collect. But the most dangerous packages were the last three, which allowed attackers to run their own commands on user systems via either Python code or shell commands. While all of this involved minimal effort, if the packages weren’t detected, the attacks would have had a high return on investment (ROI), which is why they expect to see similar malicious packages flood the npm repository in the future.

Abridged fromThe Hacker News