Security researchers at Sonatype have discovered today an npm package (JavaScript library) that contains malicious code designed to steal sensitive files from a user's browsers and Discord application.
Named discord.dll[1], the malicious JavaScript library is still available via npm[2], a web portal, command-line utility, and package manager for JavaScript programmers.
Developers use npm to load and then update libraries (npm packages) inside their JavaScript projects — may them be websites, desktop apps, or server applications.
Sonatype says[3] that once installed, discord.dll will run malicious code to search a developer's computer for certain applications and then retrieve their internal LevelDB databases.
Targeted apps include browsers like Google Chrome, Brave, Opera, and the Yandex Browser, but also the Discord instant messaging app, popular today with most online gamers.
The files the malware retrieves are LevelDB databases, which the aforementioned apps use to store information such as browsing histories and various access tokens.
Discord.dll would read the files and attempt to post their content in a Discord channel (as a Discord webhook[4]).
Links to another malicious npm package
Sonatype said that after a review, it found that the malicious code was an improved version of a malicious library it saw in August. Named fallguys[5], this library, too, was collecting the same information, although in a less complicated manner.
Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services, said discord.dll was published more than five months ago and has been downloaded more than 100 times.
In contrast, despite being available on the npm portal for only two weeks, the fallguys package was downloaded more than 300 times.
The reason for the success of the first package can be linked to the fact that