malicious library found in NPM

download (1)

the NPM security team has removed a malicious JavaScript library from the NPm, an open source projects directory which was designed to steal sensitive files from an infected users browser and discord application.

According to NPM security team the malicious package was a JavaScript library named “fallguys” that claimed to provide an interface to the “Fall Guys: Ultimate Knockout” game API which would execute when an application uses the package. It would attempt to access five local files, read their content, and then post the data inside a Discord channel.

five files the package would attempt to read:

/AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb
/AppData/Roaming/Opera\x20Software/Opera\x20Stable/Local\x20Storage/leveldb
/AppData/Local/Yandex/YandexBrowser/User\x20Data/Default/Local\x20Storage/leveldb
/AppData/Local/BraveSoftware/Brave-Browser/User\x20Data/Default/Local\x20Storage/leveldb
/AppData/Roaming/discord/Local\x20Storage/leveldb

According to ZDNet The malicious package appears to have been performing some sort of reconnaissance, gathering data on victims, and trying to assess what sites the infected developers were accessing, before delivering more targeted code via an update to the package later down the road.Of note is that the malicious package did not steal other sensitive data from the infected developers’ computers, such as session cookies or the browser database that was storing credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *