Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks.
Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control.
“Importantly, webhook URLs are effectively write-only,” Socket researcher Olivia Brown said in an analysis. “They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL.”
The software supply chain security company said it identified a number of packages that use Discord webhooks in various ways –
- mysql-dumpdiscord (npm), which siphons the contents of developer configuration files like config.json, .env, ayarlar.js, and ayarlar.json to a Discord webhook
- nodejs.discord (npm), which uses a Discord webhook to likely log alerts (an approach that’s not inherently malicious)
- malinssx, malicus, and maliinn (PyPI), which uses Discord as a C2 server by triggering an HTTP request to a channel every time the packages are installed using “pip install
“ - sqlcommenter_rails (RubyGems.org), which collects host information, including contents of sensitive files like “/etc/passwd” and “/etc/resolv.conf,” and sends it to a hard-coded Discord webhook
“Abuse of Discord webhooks as C2 matters because it flips the economics of supply chain attacks,” Brown noted. “By being free and fast, threat actors avoid hosting and maintaining their own infrastructure. Also, they often blend in to regular code and firewall rules, allowing exfiltration even from secured victims.”
“When paired with install-time hooks or build scripts, malicious packages with Discord C2 mechanism can quietly siphon .env files, API keys, and host details from developer machines and CI runners long before runtime monitoring ever sees the app.”
Contagious Interview Floods npm With Fake Packages
The disclosure comes as the company also flagged 338 malicious packages published by North Korean threat actors associated with the Contagious Interview campaign, using them to deliver malware families like HexEval, XORIndex, and encrypted loaders that deliver BeaverTail, instead of directly dropping the JavaScript stealer and downloader. The packages were collectively downloaded more than 50,000 times.
“In this latest wave, North Korean threat actors used more than 180 fake personas tied to new npm aliases and registration emails, and ran over a dozen command and control (C2) endpoints,” security researcher Kirill Boychenko said.
Targets of the campaign include Web3, cryptocurrency, and blockchain developers, as well as job seekers in the technical sector, who are approached on professional platforms like LinkedIn with lucrative opportunities. Prospective targets are…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
