Researchers from the Sonatype Security team have identified a new malware on the NPM (Node Package Manager) space. It looks like it is the continuation of the “fallguys” package that was discovered and removed back in September 2020, in the sense that the new malware is also attempting to steal user data stored in web browsers like Chrome, Brave, Opera, and Yandex.
It does so through obfuscated JavaScript code that exfiltrates Discord and browser leveldb files.
The Sonatype team discovered the following four malicious packages on NPM, with the first one being the malware, and the other three being fetchers/droppers.
The malware package (discord.dll) has had 100 downloads since its publication five months ago. The other three packages had between 38 and 88 downloads, with the “app” one having been published together with the “DLL” file, the “addon” two weeks ago, and the “JS” just yesterday.
Sonatype has detected that last packet thanks to the deployment of automated malware detection bots. Only then, it dug deeper into the author’s NPM repository and figured out what the other three packets really are.
Remember, NPM is a special package management tool used by JavaScript developers looking to get easy access to a large set of JS modules, retrieve code, store their work, share it with others, and perform dependency management. The biggest problem with NPM is security. The repositories aren’t actively monitored, and whatever malicious package finds its way on the platform may only be removed after third-party discovery and reporting.
As Sonatype researchers warn, the multiple levels of obfuscation hide discord.dll well from AV solutions, so if you have installed the package, you may not get any indication about its malicious nature. All the files and dependencies that constitute the discord.dll component are heavily obfuscated with base64-encoded strings, and one of them even links to an “Anonymous” logo.