Skip Navigation

CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains

January 20, 2021 By Sonatype Security Research Team

3 minute read time

On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we  previously warned about.

The names of the packages are:

npm package


Published to npm by


0.1.0 to 0.1.5



0.0.1, 0.0.2



2.0.3 to 2.0.7



Sonatype’s Security Research Team has also determined the actor(s) who authored these packages are the authors of the CursedGrabber Discord malware family which was discovered by Sonatype in November of 2020.

“These packages contain variations of Discord token stealing code from Discord malware discovered by Sonatype on numerous occasions” states Sonatype Security Researcher Ax Sharma, who led the technical analysis against this malware campaign. [1, 2]

Detection and Analysis 

The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security Research Team confirmed that the packages pose a security risk and gathered clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users.

Simultaneously with these research efforts we notified npm to remove these malicious components from the npm repository. As of this publishing, they are still available for download. We'll update this piece once npm and Github have removed the vulnerability. 

All versions of these packages are malicious and being tracked under Sonatype’s vulnerability identifier sonatype-2021-0045.

3 malicious component components published by CursedGrabber malware creators

Image: 3 malicious component components published by CursedGrabber malware creators

Customers Impact

“Based on the visibility we have, none of the packages were downloaded by Sonatype customers and our customers remain protected from potential software supply chain attacks arising from malicious, counterfeit packages like these,” stated Sharma. 

These findings reiterate that software supply chain attacks will only become more common and underscore how crucial it is for organizations that protect against such attacks to continuously improve their strategies against them.

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections. In fact, Sonatype - working with others in the cybersecurity research community - identified a 430% increase in upstream software supply chain attacks over the past year. With open source software component downloads surpassing 1.5 trillion in 2020, companies and their developers can no longer rely on manual reviews, analysis, and tracking to protect themselves against similar software supply chain attacks.

If you're not a Sonatype customer and want to find out if any open source software components you are using are known to be vulnerable, Sonatype's free Nexus Vulnerability Scanner is available for you to use.  The Nexus Vulnerability Scanner will analyze any application within seconds and will produce a software bill of materials detailing the quality and security of each open source component used therein.

Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press.

Tags: vulnerabilities, featured, Product, Nexus Intelligence Insights

Written by Sonatype Security Research Team

Sonatype's Security Research Team is comprised 65 world class professionals with 500+ years of experience. The Team is focused on bringing real-time, in-depth intelligence and actionable information about open source and third party vulnerabilities to Sonatype customers.