Fake packages ( noblox.js-proxies and noblox.js-proxies ) used typo-squatting and mimicked the real noblox.js library (and its legitimate variants like noblox.js-proxied ), which is a wrapper around the Roblox game API numbering about 20,000 downloads per week. The fake packages were uploaded on October 20 and 26, and they were downloaded only 281 and 106 times, respectively, say Sonatype experts who noticed the problem.
This Batch script downloaded malicious executables from Discord’s Content Delivery Network (CDN), which were responsible for disabling security mechanisms, ensuring a persistent presence on a compromised device, stealing credentials, cookies and browser history, and deploying ransomware. , including the Monster Ransomware that mimics the GoldenEye malware.
Interestingly, in the summer of 2021, Sophos experts warned that the spread of malware via Discord is becoming more and more popular, and today about 4% of all malware protected by TLS (which accounts for approximately 46% of the total number of malware) interacts with Discord.
Catch up on more stories here
Follow us on Facebook here