After finding a malicious JavaScript code in one of their package libraries, the npm security team has removed it from their portal immediately to avoid infecting others.
The malicious code was already downloaded 300 times in two weeks and was used by Fall Guy’s game developers. The malicious code was reportedly stealing sensitive files from users browsers and Discord clients.
A Code For Stealing Discord And Browser Files
npm software is a package manager for the Node JavaScript platform, that organizes the modules to be found by the node. It intelligently manages the dependency conflicts of modules among nodes and is configurable for various other uses.
It maintains a portal for public and private libraries for Node JavaScript and found malicious code in one of their packages.
The malicious code was found in a JS library called “fallguys“, which claimed to provide an interface for the game Fall Guys: Ultimate Knockout game API. The game was so popular that, it has sold over 7 million copied on Steam, making it the most downloaded game on PlayStation Plus.
The malicious code in the library has been for over two weeks before the npm security team found and removed it. Meanwhile, it was downloaded by developers about 300 times to be included in their game APIs.
According to the team, the code was intended to steal files from local files of browsers and Discord. The specific paths it would access are;
- /AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb
- /AppData/Roaming/Opera\x20Software/Opera\x20Stable/Local\x20Storage/leveldb
- /AppData/Local/Yandex/YandexBrowser/User\x20Data/Default/Local\x20Storage/leveldb
- /AppData/Local/BraveSoftware/Brave-Browser/User\x20Data/Default/Local\x20Storage/leveldb
- /AppData/Roaming/discord/Local\x20Storage/leveldb
While the first four files are LevelDB databases of specific browsers like Chrome, Opera, Yandex Browser, and Brave, the last one belongs to Discord’s LevelDB database. Upon running the malicious code in their game APIs by infected developers, it would execute to assess these files.
These files would contain the browsing history in case of browsers and Channel related content in case of Discord. It’s interesting to see that it doesn’t steal or monitor any cookie sessions or browser stored credentials. Yet, npm security warned about reconnaissance threats and advised developers to remove that code from their packages.
