Malicious npm Package Emerged To Steal Browser And Discord Data

  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    2
    Shares

The npm Security team has recently removed a malicious package from its official repository. The malicious npm package attempted to steal users’ data including Discord account information and browsing history.

Malicious npm Package Flooded NPM Portal

Recently, the npm security team has highlighted the existence of a malicious package in its repository. npm is a dedicated package manager for JavaScript programming and is the default package manager for Node.js.

Explaining the details in an advisory, they stated that a malicious npm package appeared in their repo. Labeled as ‘fallguys’, the package offering interface for the API of ‘Fall Guys: Ultimate Knockout’ game.

However, the package actually included malicious code meant for stealing users’ data. As stated in the advisory,

fallguys contained malicious code that attempted to read local sensitive files and exfiltrate information through a Discord webhook.

Specifically, the code attempted to access the following paths on the victim’s device.

  • AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/Opera\x20Software/Opera\x20Stable/Local\x20Storage/leveldb
  • /AppData/Local/Yandex/YandexBrowser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Local/BraveSoftware/Brave-Browser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/discord/Local\x20Storage/leveldb

These target paths clearly show that the code strived to steal data from Google Chrome, Opera, Yandex, and Brave browsers. Accessing database files for these browsers would land the entire browsing history of the victim at the hands of the attackers.

Also, the code targeted Discord data as well, specifically, the Discord channel-specific content.

The malware would execute right after a developer would download the package and integrate it inside a project to run.

NPM Removed The Malicious Library

Upon noticing the malicious library, npm security team quickly removed it from the repository. The current package page clearly mentions the same.

This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.

However, the package, before removal, existed in the repository for about two weeks. It currently shows around 300 downloads during this period.

Hence, though the package no more exists in the repo, the users who have downloaded it must ensure the removal of the package from their systems. Team npm also advises the victims to update their login credentials as a precaution.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!