Malicious npm Package Emerged To Steal Browser And Discord Data

The npm Security team has recently removed a malicious package from its official repository. The malicious npm package attempted to steal users’ data including Discord account information and browsing history.

Malicious npm Package Flooded NPM Portal

Recently, the npm security team has highlighted the existence of a malicious package in its repository. npm is a dedicated package manager for JavaScript programming and is the default package manager for Node.js.

Explaining the details in an advisory, they stated that a malicious npm package appeared in their repo. Labeled as ‘fallguys’, the package offering interface for the API of ‘Fall Guys: Ultimate Knockout’ game.

However, the package actually included malicious code meant for stealing users’ data. As stated in the advisory,

fallguys contained malicious code that attempted to read local sensitive files and exfiltrate information through a Discord webhook.

Specifically, the code attempted to access the following paths on the victim’s device.

  • AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/Opera\x20Software/Opera\x20Stable/Local\x20Storage/leveldb
  • /AppData/Local/Yandex/YandexBrowser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Local/BraveSoftware/Brave-Browser/User\x20Data/Default/Local\x20Storage/leveldb
  • /AppData/Roaming/discord/Local\x20Storage/leveldb

These target paths clearly show that the code strived to steal data from Google Chrome, Opera, Yandex, and Brave browsers. Accessing database files for these browsers would land the entire browsing history of the victim at the hands of the attackers.

Also, the code targeted Discord data as well, specifically, the Discord channel-specific content.

The malware would execute right after a developer would download the package and integrate it inside a project to run.

NPM Removed The Malicious Library

Upon noticing the malicious library, npm security team quickly removed it from the repository. The current package page clearly mentions the same.

This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.

However, the package, before removal, existed in the repository for about two weeks. It currently shows around 300 downloads during this period.

Hence, though the package no more exists in the repo, the users who have downloaded it must ensure the removal of the package from their systems. Team npm also advises the victims to update their login credentials as a precaution.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil