CursedGrabber Malware Campaign Leveraging Open-Source Ecosystems

A newly identified family of the information-stealing Discord malware called CursedGrabber is making rounds in open-source ecosystems. As a part of the CursedGrabber campaign, Sonatype has discovered more malware in the NPM registry, the recent one is named xpc.js, which was published to NPM registry around November 11.

What is the CursedGrabber campaign?

The author luminate_ aka Luminate-D, who is known for publishing malware components such as discord.dll, discord.app, wsbd.js, and ac-addon, has been associated with the new xpc.js malware as well.
  • The xpc.js malware exists as a tar.gz (tgz) archive with just one version 6.6.6 and has scored just under 100 downloads. This malware has a low detection rate.
  • Working as Discord information-stealing malware, it targets Windows hosts and has additional packages (lib.exe and lib2.exe) bundled within it.
  • All Discord malware (including discord.dll, discord.app, wsbd.js, ac-addon, and xpc.js) execute nearly the same tasks: steal Discord tokens and sensitive user data, with slight differences.

Recent malicious JavaScript npm packages

  • Recently, Sonatype researchers have identified JavaScript two NPM packages, discord.dll and twilio-npm, designed to steal sensitive files from a user's browser and Discord application.
  • Earlier to this, the team had discovered four packages electorn, lodashs, loadyaml, and loadyml (developed by simplelive12), and another package fallguys, containing malicious code for collecting user details.

Conclusion

Due to their popularity, open-source packages are increasingly being attacked by cybercriminals. To prevent such cyberattacks, experts recommend keeping applications patched with the latest updates. Furthermore, using an automated vulnerability scanner can help check for any vulnerabilities in the code.

Cyware Publisher

Publisher

Cyware