While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
DevOps security firm JFrog discovered 17 new malicious packages in the npm (Node.js package manager) repository that intentionally seek to attack and steal a user’s Discord tokens.
Shachar Menashe, senior director of JFrog security research, and Andrey Polkovnychenko explained that hijacking a user’s Discord token (the user’s credentials) effectively gives the attacker full control over the user’s account.
“This type of attack has severe implications if executed well, and, in this case, public hack tools made such an attack easy enough for even a novice hacker to perform,” Menashe said. “We recommend organizations take precaution and manage their use of npm for software curation to reduce the risk of introducing malicious code into their applications.”
The two explained that the packages’ payloads are varied, ranging from infostealers to full remote access backdoors. They added that the packages have different infection tactics, including typosquatting, dependency confusion, and trojan functionality.
The packages have been removed from the npm repository, and the JFrog security research team said they were taken down “before they could rack up a large number of downloads.”
JFrog noted that there has been an increase in malware aimed at stealing Discord tokens due to the fact that the platform, a popular video/voice/text chat app, now has more than 350 million registered users.
“Due to the popularity of this attack payload, there are quite a lot of Discord token grabbers posted with build instructions on GitHub. An attacker can take one of these templates and develop custom malware without extensive programming skills — meaning any novice hacker can do this with ease in a matter of minutes,” the researchers explained.
Their report on the situation notes that JFrog has found a “barrage of malicious software hosted and delivered through open-source software repositories,” adding that public repositories like PyPI and npm have become a handy instrument for malware distribution.
“The repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools, such as the npm client, provides a ripe attack vector,” the researchers said.
John Bambenek, principal threat hunter at Netenrich, said cybersecurity experts have seen attempts to insert malicious code or set up malicious libraries into PyPI and npm for some time.
“Automation is the next logical step for the attackers to increase the number of victims they have control of,” Bambenek told ZDNet. “The malicious code usually is not in place for very long, but if you do it at scale, odds are you are collecting victims at a rapid pace.”
- Hackers are using new malware which hides between blocks of junk code
- Crooks are selling access to hacked networks. Ransomware gangs are their biggest customers
- Here’s the perfect gift to protect anyone with a computer
- These researchers wanted to test cloud security. They were shocked by what they found
- Hackers are turning to this simple technique to install their malware on PCs
- Hit by ransomware? Don’t make this first obvious mistake