Discord.dll: successor to npm “fallguys” malware went undetected for 5 months

by Ax Sharma on November 9, 2020

This week, the Sonatype Security Research team has identified a series of counterfeit components in the npm ecosystem. These intentionally malicious packages seem to be doing similar, shady things to the malicious “fallguys” npm package discovered in September (those were stealing web browser files and Discord gaming IMs).

The new packages in question were published by the same npm author whose npm account also contains what look like legitimate packages with genuine use cases:

discord.dll
discord.app
wsbd.js
ac-addon

How were these counterfeit components identified?

Our automated malware detection system called release integrity flagged a suspicious package, “wsbd.js” for potentially malicious behaviour.

This is the same system that has previously identified, `twilio-npm`, `electorn`, and `loadyaml`.

Sponsorships Available

However, on looking deeper into “wsbd.js,” I couldn’t help but look into its author. I realized the author had published 10 other npm packages and I then began analyzing each one of them. While most packages published by the author exhibited no obvious signs of malicious behaviour, “wsbd.js” and the 3 others stood out.

What is discord.dll?

The discord.dll is an npm component which conducts sinister activities that are hard to spot upfront. It also uses the legitimate Discord.js npm dependency to potentially distract researchers from its otherwise nefarious activities.

The package comprises just one version 1.0.0, which has been sitting on npm downloads for over 5 months.

What makes the package difficult to analyze is that it consists of multiple files, almost all of which are heavily obfuscated and have base64-encoded strings everywhere.

In essence, discord.dll is a successor to the previously detected fallguys package.

Starting with the manifest file in Discord.dll, package.json, some interesting details come to light.

Discord 1