- Cybersecurity researchers found malicious packages in npm, Python, and Ruby that use Discord webhooks to send stolen data.
- Discord webhooks allow messages to be posted without authentication, making them a discreet tool for attackers to exfiltrate data.
- Several packages steal sensitive files and system information, sending it to attacker-controlled Discord channels.
- A North Korean campaign called Contagious Interview published 338 malicious npm packages targeting Web3 and cryptocurrency developers.
- The campaign uses fake personas and typosquatting to trick users into running Malware that steals credentials and delivers backdoors.
Cybersecurity researchers have discovered multiple malicious software packages across the npm, Python, and Ruby ecosystems that use Discord as a command-and-control (C2) channel to transmit stolen data. These packages send sensitive information through Discord webhooks, which attackers control to receive data without needing authentication.
Discord webhooks are tools that post messages to channels without requiring a bot user or login, enabling attackers to quietly exfiltrate data. Socket researcher Olivia Brown explained, “webhook URLs are effectively write-only… defenders cannot read back prior posts just by knowing the URL.” This allows attackers to send stolen data discreetly without leaving a visible trace.
Among the identified packages are npm’s mysql-dumpdiscord, which steals developer configuration files; Python packages malinssx, malicus, and maliinn that contact Discord channels when installed; and Ruby’s sqlcommenter_rails, which collects host details and sensitive files before sending them to a Discord webhook. Brown noted the importance of this tactic, saying it lets threat actors avoid Hosting their own infrastructure and bypass firewall rules.
In addition, Socket revealed a North Korean threat group linked to a campaign called Contagious Interview published 338 malicious npm packages. These packages were downloaded over 50,000 times and deliver malware such as HexEval, XORIndex, and BeaverTail. The group created more than 180 fake identities and operated multiple C2 endpoints, targeting Web3, cryptocurrency, and blockchain developers.
The campaign tricks victims by offering fake job opportunities on platforms like LinkedIn, instructing targets to complete coding tests involving repositories referencing malicious npm packages. When executed, the malware steals browser credentials, cryptocurrency wallets, keystrokes, and screenshots. It also downloads additional backdoors like InvisibleFerret.
Many packages in this campaign use typosquatting, registering names similar to legitimate libraries, especially those related to Node.js and React. Security researcher Kirill Boychenko said, “Contagious Interview is not a cybercrime hobby… It is a state-directed, quota-driven operation with durable resourcing.” The campaign treats npm as a renewable source for initial access and removal of malicious packages alone is insufficient if the attacker accounts remain active.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- JP Morgan Unveils $10B Push Into US National Security Sectors
- SpaceX’s Starship Completes Eleventh Test Flight From Texas
- Microsoft Sued for Allegedly Inflating ChatGPT Prices With Azure Deal
- WazirX Gets Singapore Court Nod, Trading to Resume in 10 Days
- BYD Eyes Spain for Third European EV Factory Amid Surging Sales
