Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info

  /     /     /  
Publicated : 23/11/2024   Category : security


Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info


The campaign uses four malicious packages to spread Volt Stealer and Lofy Stealer malware in the open source npm software package repository.



Four packages containing highly obfuscated malicious Python and JavaScript code were discovered this week in the Node Package Manager (npm) repository. 
According to a
report
from Kaspersky, the malicious packages spread the Volt Stealer and Lofy Stealer malware, collecting information from their victims, including Discord tokens and credit card information, and spying on them over time.
Volt Stealer is used to steal
Discord tokens
and harvest peoples IP addresses from the infected computers, which are then uploaded to malicious actors via HTTP. 
Lofy Stealer, a newly developed threat, can infect Discord client files and monitor the victims actions. For example, the malware detects when a user logs in, changes email or password details, or enables or disables multifactor authentication (MFA). It also monitors when a user adds new payment methods, and will harvest full credit card details. The collected information is then uploaded to a remote endpoint.
The package names are small-sm, pern-valids, lifeculer, and proc-title. While npm has removed them from the repository, applications from any developer who already downloaded them remain a threat.
Targeting Discord provides a lot of reach because stolen Discord tokens can be leveraged for spear-phishing attempts on victims friends. But Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, points out that the attack surface will of course vary among organizations, depending on their use of the multimedia communications platform.
The threat level would not be as high as a Tier 1 outbreak like we have seen in the past — for example, Log4j — due to these concepts around the attack surface associated with these vectors, he explains.
Users of Discord have options to protect themselves from these kinds of attacks: Of course, like any application that is targeted, covering the kill chain is an effective measure to reduce risk and threat level, Manky says.
This means having policies set up for appropriate usage of Discord according to user profiles, network segmentation, and more.
The npm software package repository has more than 11 million users and tens of billions of downloads of the packages it hosts. It’s used both by experienced Node.js developers and people using it casually as part of other activities.
The open source npm modules are used both in Node.js production applications and in developer tooling for applications that wouldnt otherwise use Node. If a developer inadvertently pulls in a malicious package to build an application, that malware can go on to target the end users of that application. Thus, software supply chain attacks like these provide more reach for less effort than targeting an individual company.
That ubiquitous use among developers makes it a big target, says Casey Bisson, head of product and developer enablement at BluBracket, a provider code security solutions.
Npm doesnt just provide an attack vector to large numbers of targets, but that the targets themselves extend beyond end users, Bisson says.
Enterprises and individual developers both often have greater resources than the average population, and lateral attacks after gaining a beachhead in a developers machine or enterprise systems are generally also rather fruitful, he adds.
Garwood Pang, senior security researcher at Tigera, a provider of security and observability for containers, points out that while npm provides one of the most popular package managers for JavaScript, not everyone is savvy in how to use it.
This allows developers access to a huge library of open source packages to enhance their code, he says. However, due to the ease of use and the amount of listing, an inexperienced developer can easily import malicious packages without their knowledge.
Its no easy feat, though, to identify a malicious package. Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, cites the sheer quantity of components making up a typical NodeJS package.
Being able to identify correct implementations of any functionality is challenged when there are many different legitimate solutions to the same problem, he says. Add in a malicious implementation that can then be referenced by other components, and youve got a recipe where its difficult for anyone to determine if the component they are selecting does what it says on the box and doesn’t include or reference undesirable functionality.
Major supply chain attacks have had a
significant impact
on software security awareness and decision making, with more investment planned for monitoring attack surfaces.
Mackey points out that software supply chains have always been targets, particularly when one looks at attacks targeting frameworks like shopping carts or development tooling.
What were seeing recently is a recognition that attacks we used to categorize as malware or as a data breach are in reality compromises of the trust organizations place in the software they’re both creating and consuming, he says.
Mackey also says that many people assumed that software created by a vendor was entirely authored by that vendor, but, in reality, there could be hundreds of third-party libraries making up even the simplest software — as came to light with the
Log4j fiasco
.
Those libraries are effectively suppliers within the software supply chain for the application, but the decision to use any given supplier was made by a developer solving a feature problem and not by a businessperson focused on business risks, he says.
Thats prompted calls for the implementation of
software bills of materials (SBOMs)
. And, in May, MITRE
launched
a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over the supply chain — including software.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info