Discord-Stealing Malware Invades NPM Packages
Arthur T Knackerbracket has processed the following story.
Discord-Stealing Malware Invades npm Packages":
The CursedGrabber malware has infiltrated the open-source software code repository.
Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.
Discord is designed for creating communities on the web, called servers," either as standalone forums or as part of another website. Users communicate with voice calls, video calls, text messaging, media and files. Discord bots" are central to its function; these are AIs that can be programmed to moderate discussion forums, welcome and guide new members, police rule-breakers and perform community outreach. They're also used to add features to the server, such as music, games, polls, prizes and more.
Discord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.
As of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by scp173-deleted") were still available for download. They make use of brandjacking and typosquatting to lure developers into thinking they're legitimate. There is also clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users," according to researchers at Sonatype.
See also: CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains.
Read more of this story at SoylentNews.