The NPM package manager, used to spread malware among NodeJS application developers

NPM (acronym for ‘Node Package Manager’) is the name of the NodeJS repository and package manager, a popular JavaScript runtime environment that developers have been using for years to share tools, manage dependencies and in general, publish open source JavaScript projects.

Now, the integrity of NPM has been compromised by malware infiltrating the repository: Several software packages have been detected infected with the CursedGrabber malware. Specifically, the affected packages are an0n-chat-lib, discord-fix and sonatype, all of them published by the user “scp173-deleted”.

A new (and dangerous) way of spreading malware

Such a vulnerability is potentially serious because doesn’t just affect developer teams to install those packages, but the malware would corrupt also the web applications created by them and thus also to the computers of its users.

Therefore, the infection of this class of repositories is an increasingly used tactic by cyber attackers to ensure the spread of their malware.

So last month the RubyGems repository (which occupies a similar role to npm, but among Ruby developers) detected the corruption of two of its packages with code that stole cryptocurrencies through the resource of changing the destination address of a transaction by the attacker at the time of copy / paste.

As Ax Sharma, cybersecurity researcher at Sonatype, explained to Threatpost,

“We have witnessed numerous open source malware attacking sites like GitHub, NPM, and RubyGems: Attackers take advantage of trust within the open source community to spread virtually any type of malware, from CursedGrabber to sophisticated spy Trojans like njRAT “.

What is CursedGrabber?

Specifically, CursedGrabber is intended for theft of tokens and personal information from Discord users, the platform for creating web communities that allows communication between its users through text, calls, video calls, etc.

Discord tokens are used by bots to communicate with the API, so theft of a token allows an attacker to hack into the affected community. In the present case, this theft is carried out by manipulating the hosts files in Windows.