A sophisticated malware campaign has infiltrated the NPM package registry, with the malicious package named “duer-js” discovered by JFrog Security Research. This dangerous threat poses a significant risk to developers and Windows users, as it actively distributes the “Bada Stealer” malware. Despite its relatively low download count, the package employs advanced techniques to compromise sensitive information, particularly targeting Discord users.
The “duer-js” package, published by user “luizaearlyx,” masqueraded as a legitimate console visibility tool. Security experts have identified that the malware is still active on NPM, continuing to endanger unsuspecting developers who may incorporate it into their projects. The multi-stage attack strategy employed by “Bada Stealer” is a primary concern, as it extends beyond simple data theft to include persistent monitoring of users.
How ‘duer-js’ Distributes ‘Bada Stealer’ Malware
The insidious nature of the “duer-js” package lies in its complex attack methodology. Upon installation, it doesn’t immediately execute its malicious payload. Instead, it downloads a secondary, more potent component specifically engineered to target Discord users. This second stage of the attack involves the malware injecting itself into the Discord desktop application’s startup process. This persistent presence allows it to continuously monitor Discord activity and extract sensitive information every time the application is launched.
The capabilities of the secondary payload are extensive, according to JFrog Security Research. It is designed to steal authentication tokens, capture payment methods, and potentially bypass two-factor authentication protections. The sophistication of the obfuscation techniques used within the package made its detection a complex task for security analysts. Furthermore, the researchers noted that simply uninstalling the “duer-js” package would likely not be sufficient to fully remove the infection, as the malware establishes persistence mechanisms that survive basic removal attempts.
The Information Theft Process of ‘Bada Stealer’
The “Bada Stealer” malware operates through a meticulously planned information theft process. Once executed on an infected system, it first terminates active browser and Telegram processes. This action is designed to gain access to files that might otherwise be locked. Following this, the malware systematically scans the compromised system for valuable data across a wide range of applications.
A significant target is Discord tokens, which are stored within local databases. The stealer actively extracts not only authentication credentials but also details pertaining to Discord Nitro subscriptions, billing information, payment sources, friend lists, and even two-factor authentication backup codes. This comprehensive data collection from Discord accounts could lead to significant financial and identity theft for users.
Browser data extraction is equally thorough. The malware targets saved passwords from popular browsers such as Chrome, Edge, Brave, Opera, and Yandex. It achieves this by decrypting these passwords using the Windows Data Protection API (DPAPI). Additionally, the stealer harvests cookies from various browser profile directories and collects autofill data, including credit card numbers, expiration dates, and cardholder names, before this information can be encrypted.
Users of cryptocurrency wallets are also at considerable risk. The malware specifically searches for Exodus wallet files and various browser-extension wallets, including MetaMask, BraveWallet, and AtomicWallet. Even Steam users are not immune, as the malware is capable of compressing and exfiltrating Steam configuration files, potentially compromising account credentials and game library access.
Data Exfiltration and Remediation Steps
All the sensitive data pilfered by the “Bada Stealer” is transmitted to attackers through a Discord webhook. As a secondary exfiltration method, the malware also utilizes Gofile cloud storage. This dual-channel approach ensures that the attackers receive the stolen data even if one of the communication channels becomes unavailable. The malware prepares the stolen information by creating text files containing passwords, credit card details, and autofill information before uploading them.
For individuals who may have installed the “duer-js” package, immediate and thorough action is required beyond a standard uninstallation. It is crucial to fully close and uninstall Discord from Windows Settings or the Control Panel. Users should then navigate to the “%LOCALAPPDATA%” directory by pressing Win+R and typing the command, and delete all Discord-related folders, including Discord, DiscordPTB, and DiscordCanary, to ensure the removal of any injected malicious code. Reinstallation of Discord should only be done from the official website.
Furthermore, it is recommended to remove any stray “node.exe” files from the Windows Startup folder, typically located at “%APPDATA%MicrosoftWindowsStart MenuProgramsStartup”. A comprehensive password reset for all credentials stored in browsers is advised. Revoking Discord tokens and enabling two-factor authentication, if not already active, are critical security measures. Users should also review their Discord payment methods for any unauthorized changes and monitor their cryptocurrency wallets and Steam accounts for suspicious activity. This multi-faceted cleanup process is essential to ensure the complete eradication of the infection and safeguard accounts from further compromise.