Scribd
Upload
131 views3 pages

Cyber Crime: Malicious JavaScript Libraries

25 malicious JavaScript libraries were found on the NPM package registry that were designed to steal Discord tokens and environment variables. The libraries used typosquatting techniques to pose as legitimate packages like colors.js and discord.js. They stole tokens stored locally on systems and in web browsers to take over Discord accounts. Developers are urged to carefully inspect their package dependencies to prevent typosquatting and dependency confusion attacks on NPM.

Uploaded by

Karan Mistry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
131 views3 pages

Cyber Crime: Malicious JavaScript Libraries

25 malicious JavaScript libraries were found on the NPM package registry that were designed to steal Discord tokens and environment variables. The libraries used typosquatting techniques to pose as legitimate packages like colors.js and discord.js. They stole tokens stored locally on systems and in web browsers to take over Discord accounts. Developers are urged to carefully inspect their package dependencies to prevent typosquatting and dependency confusion attacks on NPM.

Uploaded by

Karan Mistry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

190280116062 Karan Mistry

Assignment

Prepare a flipbook for cyber crime awareness example with real time case studies.

25 Malicious JavaScript Libraries Distributed via


Official NPM Package Repository

Another batch of 25 malicious JavaScript libraries have made their way to


the official NPM package registry with the goal of stealing Discord tokens and
environment variables from compromised systems, more than two months
after 17 similar packages were taken down.
The libraries in question leveraged typosquatting techniques and
masqueraded as other legitimate packages such as colors.js, crypto-js,
discord.js, marked, and noblox.js, DevOps security firm JFrog said, attributing
the packages as the work of "novice malware authors."

The complete list of packages is below –

• node-colors-sync (Discord token stealer)


• color-self (Discord token stealer)
• color-self-2 (Discord token stealer)
• wafer-text (Environment variable stealer)
• wafer-countdown (Environment variable stealer)
• wafer-template (Environment variable stealer)
• wafer-darla (Environment variable stealer)
• lemaaa (Discord token stealer)
• adv-discord-utility (Discord token stealer)
• tools-for-discord (Discord token stealer)
• mynewpkg (Environment variable stealer)
190280116062 Karan Mistry

• purple-bitch (Discord token stealer)


• purple-bitchs (Discord token stealer)
• noblox.js-addons (Discord token stealer)
• kakakaakaaa11aa (Connectback shell)
• markedjs (Python remote code injector)
• crypto-standarts (Python remote code injector)
• discord-selfbot-tools (Discord token stealer)
• discord.js-aployscript-v11 (Discord token stealer)
• discord.js-selfbot-aployscript (Discord token stealer)
• discord.js-selfbot-aployed (Discord token stealer)
• discord.js-discord-selfbot-v4 (Discord token stealer)
• colors-beta (Discord token stealer)
• vera.js (Discord token stealer)
• discord-protection (Discord token stealer)

Discord tokens have emerged as lucrative means for threat actors to gain
unauthorized access to accounts sans a password, enabling the operators to
exploit the access to propagate malicious links via Discord channels.

Environment variables, stored as key-value pairs, are used to save information


pertaining to the programming environment on the development machine,
including API access tokens, authentication keys, API URLs, and account
names.
Two rogue packages, named markedjs and crypto-standarts, stand out for
their role as duplicate trojan packages in that they completely replicate the
original functionality of well-known libraries marked and crypto-js, but feature
additional malicious code to remotely inject arbitrary Python code.

Another malicious package is lemaaa, "a library which is meant to be used


by malicious threat actors to manipulate Discord accounts," researchers
Andrey Polkovnychenko and Shachar Menashe said. "When used in a certain
way, the library will hijack the secret Discord token given to it, in addition to
performing the requested utility function."

Specifically, lemaaa is engineered to use the supplied Discord token to


siphon victim's credit card information, take over the account by changing
the account password and email, and even remove all of the victim's friends.
190280116062 Karan Mistry

Vera.js, also a Discord token grabber, takes a different approach to carry out
its token theft activities. Instead of retrieving the information from local disk
storage, it retrieves the tokens from a web browser's local storage.

"This technique can be helpful to steal tokens that were generated when
logging using the web browser to the Discord website, as opposed to when
using the Discord app (which saves the token to the local disk storage)," the
researchers said.

If anything, the findings are the latest in a series of disclosures uncovering the
abuse of NPM to deploy an array of payloads ranging from info-stealers up to
full remote access backdoors, making it imperative that developers inspect
their package dependencies to mitigate typosquatting and dependency
confusion attacks.

You might also like