Security Bloggers Network Vulnerabilities

Home » Cybersecurity » Threats & Breaches » Vulnerabilities » Malicious npm ‘colors’ typosquats pack Discord malware

Malicious npm ‘colors’ typosquats pack Discord malware

by Ax Sharma on May 3, 2022

Sonatype has caught newer typosquats of the popular ‘colors’ npm library that contain obfuscated malware. The malware in question comprises Discord info-stealers attempting to hijack the user’s Discord tokens and session information.

These findings were made by Sonatype’s automated malware detection bots which both detect and block suspicious and malicious open source components as part of the Nexus platform.

npm, Discord and …Piranhas 🐟

This week, Sonatype discovered multiple npm packages that impersonate the vastly popular ‘colors’ JavaScript library, but instead pack malware. These typosquats, shown below, have been assigned vulnerability identifier, sonatype-2022-2601 in our security data:

To give you a recap, the heavily used ‘colors’ library rakes in 20 million weekly downloads on npm and has around 19,000 open source projects relying on it. The library drew much notoriety this January after being sabotaged in protest by its maintainer Marak Squires.

Sponsorships Available

And all of that explains why threat actors would attempt to typosquat it: to maximize their chances of success should a developer fall for a forked but tainted version of a legitimate library, as opposed to the real thing.

At the time of our discovery, npm pages for the aforementioned packages are verbatim replicas of those for the real ‘colors’. Take for example ‘colors-help’—the README, and even the GitHub repo URLs on the right-hand side are exact copies.

Inside the package, there’s lots of legitimate code and files borrowed straight from ‘colors.’ That is, until we get to the suspicious ‘colors.js’ file with obfuscated JavaScript code somewhere in the middle:

De-obfuscating the code clearly unveils the nefarious activities the project is conducting.

Sonatype senior security researcher Ankita Lamba who analyzed these typosquats explains:

“The malicious code iterates over local storage folders of common browsers (Chrome, Opera, Brave, Yandex) and Discord-specific (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/malicious-npm-colors-typosquats-pack-discord-malware

May 3, 2022May 3, 2022 Ax Sharma DevZone, FEATURED, malware prevention, Nexus Firewall, npm, Vulnerabilities

Malicious npm ‘colors’ typosquats pack Discord malware

npm, Discord and …Piranhas 🐟

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Pendulum Types’

Secure Guardrails Definition: