Sonatype has caught newer typosquats of the popular 'colors' npm library that contain obfuscated malware. The malware in question comprises Discord info-stealers attempting to hijack the user's Discord tokens and session information.
These findings were made by Sonatype's automated malware detection bots which both detect and block suspicious and malicious open source components as part of the Sonatype Platform.
npm, Discord and ...Piranhas 🐟
To give you a recap, the heavily used 'colors' library rakes in 20 million weekly downloads on npm and has around 19,000 open source projects relying on it. The library drew much notoriety this January after being sabotaged in protest by its maintainer Marak Squires.
And all of that explains why threat actors would attempt to typosquat it: to maximize their chances of success should a developer fall for a forked but tainted version of a legitimate library, as opposed to the real thing.
At the time of our discovery, npm pages for the aforementioned packages are verbatim replicas of those for the real 'colors'. Take for example 'colors-help' — the README, and even the GitHub repo URLs on the right-hand side are exact copies.
De-obfuscating the code clearly unveils the nefarious activities the project is conducting.
Sonatype senior security researcher Ankita Lamba who analyzed these typosquats explains:
"The malicious code iterates over local storage folders of common browsers (Chrome, Opera, Brave, Yandex) and Discord-specific folders," states Lamba.
The folder locations shown below are common targets of not just this but many Discord token stealers we have repeatedly seen before.
- /AppData/Roaming/discordcanary/Local Storage/leveldb
- /AppData/Roaming/discord/Local Storage/leveldb
- /AppData/Local/Google/Chrome/User Data/Default/Local Storage/leveldb
- /AppData/Roaming/Opera Software/Opera Stable/Local Storage/leveldb
- /AppData/Local/BraveSoftware/Brave-Browser/User Data/Default/Local Storage/leveldb
- /AppData/Local/Yandex/YandexBrowser/User Data/Default/Local Storage/leveldb
"The code then searches these folders for strings looking like a Discord token by using a regular expression," explains Lamba.
The stolen tokens are then exfiltrated via an HTTP POST request to a Replit-hosted minisite created by the attacker:
The domain used within 'colors-helper' is different, but still hosted on Replit:
Within 'colors_express,' however, we see some interesting links that are hosting malicious code on an independent domain that is still up at the time of writing:
'PegaPiranha,' if not a Portguese reference, seems to be a play on the spellings of the sci-fi horror movie, 'Mega Piranha.'
The '/kauanaperigosa' endpoint seen at the time of our analysis returns malicious NodeJS code:
These malicious packages were published to the npm registry over the April 30th weekend and blocked automatically for customers by Nexus Firewall.
On Monday, May 2nd, the Sonatype security research team reviewed and reported these packages to the npm security team. These packages were then taken down before they could reach 200 downloads in total.
The ongoing Discord obsession 🎮
This isn't the first time 'colors' library has been targeted by attackers engaging in typosquatting attacks either. In March, we analyzed several packages, including 'colorsss', 'colors-2.0,' and 'colors-3.0' that impersonated the real 'colors' library and hid Discord info-stealing malware.
In 2020, it was the malicious 'fallguys' npm package that hid Discord info-stealers, followed by its successor discord.dll discovered the same year. Between 2020 and 2021, Sonatype discovered an entire family of Discord token stealing malware called, CursedGrabber. And, we continue to see the trend of threat actors looking to exploit a niche audience: gamers and game devs.
Sonatype Repository Firewall users remain protected 🔒
Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers and the gaming community.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.