The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.
A series of malicious packages in the Node.js package manager (npm) code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users’ accounts and servers.
According to the JFrog Security research team, in this case a set of 17 malicious packages were published, with varying payloads and tactics. However, they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files.
“The packages’ payloads are varied, ranging from infostealers up to full remote-access backdoors,” researchers said in a Wednesday advisory. “Additionally, the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.”
There are a few reasons, apart from its massive user base, that Discord is an