However, after the developers downloaded the library and integrated it into their projects, when the developer executed its code, it also executed the malicious npm.
According to the npm security team, this code was trying to access five local files, read the content and then publish the data within a Discord channel (as a Discord webhook).
The five files that the malicious npm was trying to read are the following:
- / AppData / Local / Google / Chrome / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Roaming / Opera \ x20Software / Opera \ x20Stable / Local \ x20Storage / leveldb
- / AppData / Local / Yandex / YandexBrowser / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Local / BraveSoftware / Brave-Browser / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Roaming / discord / Local \ x20Storage / leveldb
The last file is a similar LevelDB database, but for the Discord Windows client, which similarly stores information on the channels to which one is subscribed. user.
It is worth noting that the malicious npm did not steal other sensitive data from the computers of the targeted developers, such as session cookies or the database of the browser in which the credentials.
Malicious npm appears to perform some sort of identification, collect data on victims, and try to estimate who websites developers had access, before delivering more targeted code via an update.
Npm security team advises developers to remove malicious npm from project their.
The malicious npm has been available on the site for two weeks, during which it has been downloaded almost 300 times.