Compromised npm Packages Used to Attack other Malicious Actors, Research Finds

Security researchers have identified a slew of malicious npm packages designed to target other malware authors and hijack Discord credentials.

The number of malicious packages distributed through the npm repository is still high, even with all the security the npm project has implemented. Most of the new security measures aim to prevent man-in-the-middle attacks, not stopping attackers from using the platform to spread malicious packages.

Attackers use two different tactics to trick people into downloading their packages instead of the proper ones. They either use very similar project names or simply duplicate well-known packages and just add a small piece of malicious code that essentially transforms them into a trojan.

“It seems that many npm malicious packages are still masquerading as the infamous colors.js npm package, which was susceptible to a major denial of service attack a few weeks ago,” said JFrog researchers. “This masquerading is probably due to the fact that colors.js is still one of the most installed packages in npm.”

Most of the 25 malicious packages the researchers discovered acted as Discord token stealers, python remote code injectors, and environment variable stealers. The repository admins quickly took down the malicious packages, but the attackers will likely try again, given the npm repository’s popularity with developers.

The effort needed to duplicate the packages and inject them with code is very low, which means that potential returns for any malicious campaigns are sufficient to entice attackers. A recent study by North Carolina State University and Microsoft found several security issues with npm packages. In that case, the researchers proposed a ranking system for the packages that would allow potential users to determine if a package is safe to install. Such a system would weed out many attempts to copy original projects.