On December 8, 2021, our friends at jFrog published an article, "Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed".
From jFrog: "We are now sharing the findings of our most recent body of work — disclosing 17 malicious packages in the npm (Node.js package manager) repository that were picked up by our automated scanning tools. Many of them intentionally seek to attack a user's Discord token, which is a set of letters and numbers that act as an authorization code to access Discord's servers. It is effectively a user's credentials. Put plainly: obtaining a victim's Discord token gives the attacker full access to the victim's Discord account.
JupiterOne response to our clients
With the rise of modern application development and the increasing reliance on third-party libraries, ensuring the security of repositories like npm has never been more critical. In this blog, we dive into how malicious actors target widely-used platforms like Discord by injecting rogue tokens into npm packages, posing serious security threats to developers and users alike. Understanding how to detect and respond to these threats swiftly is vital for safeguarding your systems.
At JupiterOne, we understand the complexities of modern software ecosystems and the vulnerabilities that can arise from supply chain attacks. By leveraging advanced security practices, organizations can maintain a proactive stance against these malicious tactics. Learn how you can enhance your security posture by identifying malicious Discord tokens in the npm repository before they cause harm.
This query form is for our customers who are using our npm-inventory script to ingest NPM CodeModule dependencies. Security Operations or DevSecOps teams can use the npm-inventory script to inventory a set of code repos (or exhaustively clone them all locally for full coverage).
This script will ingest CodeRepo -USES-> CodeModule relationships into the J1 graph, that may be queried to search for vulnerable packages. In the query below, we'll search for packages affected by this weekend's disclosure related to discord token harvesting ...
FIND CodeRepo THAT USES AS u CodeModule AS cm WHERE
(cm.displayName = 'prerequests-xcode' and u.version = '1.0.4') or
(cm.displayName = 'discord-selfbot-v14' and u.version = '12.0.3') or
(cm.displayName = 'discord-lofy' and u.version = '11.5.1') or
(cm.displayName = 'discordsystem' and u.version = '11.5.1') or
(cm.displayName = 'discord-vilao' and u.version = '1.0.0') or
(cm.displayName = 'fix-error' and u.version = '1.0.0') or
(cm.displayName = 'wafer-bind' and u.version = '1.1.2') or
(cm.displayName = 'wafer-autocomplete' and u.version = '1.25.0') or
(cm.displayName = 'wafer-beacon' and u.version = '1.3.3') or
(cm.displayName = 'wafer-caas' and u.version = '1.14.20') or
(cm.displayName = 'wafer-toggle' and u.version = '1.15.4') or
(cm.displayName = 'wafer-geolocation' and u.version = '1.2.10') or
(cm.displayName = 'wafer-image' and u.version = '1.2.2') or
(cm.displayName = 'wafer-form' and u.version = '1.30.1') or
(cm.displayName = 'wafer-lightbox' and u.version = '1.5.4') or
(cm.displayName = 'octavius-public' and u.version = '1.836.609') or
(cm.displayName = 'mrg-message-broker' and u.version = '9998.987.376')
As software supply chain attacks become more sophisticated, safeguarding against them requires constant vigilance and an intelligent approach to asset management. JupiterOne’s security capabilities empower teams to rapidly detect and mitigate threats like malicious tokens in npm repositories. By maintaining full visibility into your assets and continuously monitoring for vulnerabilities, you can stay ahead of attackers and ensure the integrity of your development processes.
Stay tuned to our blog for more insights into security best practices, and explore how JupiterOne can help your organization protect against evolving threats in the ever-changing cybersecurity landscape.
