Security researchers have discovered yet another supply chain attack campaign using malicious npm packages, this time targeting Discord users.
The purpose of the campaign appears to be to steal Discord tokens and users’ card data.
“The Python malware is a modified version of an open source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP,” said Kaspersky.
The campaign is yet another example of a growing threat to the developer community and downstream customers – of devs unwittingly downloading malware as they use open source packages to accelerate time-to-market.
Garwood Pang, senior security researcher at Tigera, explained that stolen Discord tokens could be leveraged in follow-on spear-phishing attacks on victims’ friends.
“With more than 11 million users using npm, the potential audience of a successful supply chain attack is significant compared to targeting a specific company.”