Malware Alert Malicious NPM packages used to install njRAT remote access trojan

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,775
New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer.

NPM is a JavaScript package manager that allows developers and users to download packages and integrate them into their projects. As NPM is an open ecosystem, anyone can upload a new package without being reviewed or scanned for malware. While this environment has led to a repository of 1 million rich and diverse packages, it also makes it easy for threat actors to upload malicious packages.

Today, open-source security firm Sonatype discovered malicious NPM packages masquerading as a legitimate tool to make databases out of JSON files. [...]
 

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,775
On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we previously warned about.
The names of the packages are:
npm packageversionsPublished to npm by
an0n-chat-lib0.1.0 to 0.1.5scp173-deleted
discord-fix0.0.1, 0.0.2scp173-deleted
sonatype2.0.3 to 2.0.7scp173-deleted

Sonatype’s Security Research Team has also determined the actor(s) who authored these packages are the authors of the CursedGrabber Discord malware family which was discovered by Sonatype in November of 2020.
“These packages contain variations of Discord token stealing code from Discord malware discovered by Sonatype on numerous occasions” states Sonatype Security Researcher Ax Sharma, who led the technical analysis against this malware campaign. [1, 2]
 
Top