silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,207
The npm security team has removed a malicious JavaScript library from the npm portal that was designed to steal sensitive files from an infected users' browser and Discord application.
The malicious package was a JavaScript library named "fallguys" that claimed to provide an interface to the "Fall Guys: Ultimate Knockout" game API.
However, after developers downloaded the library and integrated it inside their projects, when the infected dev would run their code, the malicious package would also execute.
Per the npm security team, this code would attempt to access five local files, read their content, and then post the data inside a Discord channel (as a Discord webhook).
The npm security team advises that developers remove the malicious package from their projects.
The malicious package was available on the site for two weeks, during which time it was downloaded nearly 300 times.