StringJS Typosquat Deploys Discord Infostealer Obfuscated Five Times

by Ax Sharma on July 26, 2022

An npm package called ‘stringjs_lib’ was identified by Sonatype this week. The package typosquats the popular npm library ‘string‘ (or StringJS) and ships a Discord info-stealer obfuscated not one, five times.

The legitimate ‘string’ library is downloaded anywhere between 70,000 and 100,000 times in any given week. Which explains why a threat actor would be lured to ship counterfeit versions of this library — a theme we’ve repeatedly observed when it comes to malware distributed via open source typosquats.

The malicious ‘stringjs_lib’ package was caught by Sonatype’s automated malware detection systems, which are an integral part of Nexus Firewall.

Analysis by our security researcher Carlos Fernandez revealed that the package goes to great lengths to hide it’s true purpose.

Sponsorships Available

Packed and Obfuscated 5x to Hinder Analysis

This week, the ‘stringjs_lib’ package appeared on the npm registry, and was caught by our automated malware detection bots. While both the empty README and the name closely resembling StringJS raised red flags, it took some time before the package’s purpose became completely clear.

The package was published from a standalone, pseudonymous npm account, ‘stringjs_npm.’

Within the package, there’s a simple manifest file (package.json) and an index.js file. And it is this ‘index.js’ file that’d leave an analyst scratching their heads:

The above string sequence spans several lines—rather the 233,700+ character sequence is tightly packed in a single line by the author, but would otherwise exceed roughly 4,250 lines of code if it had newline characters.

The sequence ends cryptically too:

Simple deobfuscation techniques and paths we usually use to unpack malware didn’t help much. But, Fernandez noticed a few things that helped it all come to light: