NPM is the name of the package manager and repository for NodeJS, a popular JavaScript runtime that developers have been using for years to share tools, manage dependencies, and generally publish open source JavaScript projects. Unfortunately for this package manager, the integrity of NPM has been compromised by malware infiltrating the repository in which several software packages infected with the CursedGrabber malware were detected.
Such a vulnerability is potentially serious because it does not only affect the computers of the developers who are going to install these packages, but the malware would also corrupt the web applications created by them and, thus, also the computers of their users. That is why the infection of this class of repositories is an increasingly used tactic by cyber attackers to guarantee the spread of their malware.
CursedGrabber is intended to steal tokens and personal information from Discord users, the web community creation platform that allows communication between its users through text, calls, video calls, etc. Discord tokens are used by bots to communicate with the API, so stealing a token allows an attacker to hack into the affected community. In the present case, this theft is carried out by manipulating the hosts files in Windows.
CursedGrabber was discovered in November and targets Windows hosts. It also contains two .exe files that are invoked and executed through scripts from the manifest file, ‘package.json’. The first of the .exe files scans the user profiles of various web browsers along with the Discord leveldb files, steals Discord tokens, steals credit card information, and sends user data via a webhook to the attacker and the second unzips Additional code with multiple capabilities including privilege escalation, keylogging, taking screenshots, installing back doors, accessing webcams, etc. We have to take into account these types of threats because of how popular they are becoming with criminals, also the tools compromised by it are popular and widely used by users and that is why we must be cautious against them.
Check also:
What should we know about security with JavaScript
XSS Attacks – A fairly common threat
