On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we  previously warned about.

The names of the packages are:

Sonatype’s Security Research Team has also determined the actor(s) who authored these packages are the authors of the CursedGrabber Discord malware family which was discovered by Sonatype in November of 2020.

“These packages contain variations of Discord token stealing code from Discord malware discovered by Sonatype on numerous occasions” states Sonatype Security Researcher Ax Sharma, who led the technical analysis against this malware campaign. [1, 2]

Detection and Analysis 

The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security Research Team confirmed that the packages pose a security risk and gathered clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users.

Simultaneously with these research efforts we notified npm to remove these malicious components from the npm repository. As of this publishing, they are still available for download. We’ll update this piece once npm and Github have removed the vulnerability. 

All versions of these packages are malicious and being tracked under Sonatype’s vulnerability identifier sonatype-2021-0045.

Image: 3 malicious component components published by CursedGrabber malware creators

Customers Impact

“Based on the visibility we have, none of the packages were downloaded by Sonatype customers and our customers remain protected from potential software supply chain attacks arising from malicious, counterfeit packages like (Read more...)