Malicious Package Containing Trojan for Discord Identified in NPM Service
Researchers from Reversinglabs have discovered a malicious package in the NPM service that contains a Trojan for Discord with the functionality of Rutkit. The malicious code, known as “Discordrat 2.0”, is a pre-made hacking tool designed for novice hackers.
The package, named “Fake Node-Hide-Console-Windows”, was uploaded to the repository on August 25 and deliberately given a name similar to the legitimate package “node-hide-console-window”. The only difference between the two is a single letter.
Interestingly, the malicious package was downloaded approximately 700 times during the same period that the original package was downloaded only 300 times. The malicious package has since been removed from the platform.
According to the ReversingLabs researchers, the package loaded a Discord bot that introduced the “r77” rootkit from open source code freely distributed on GitHub.
The “r77” rootkit is frequently used in actual harmful campaigns, often as one of the links in attack chains for spreading Trojans and cryptocurrency miners. This trend suggests that open source projects are increasingly being exploited as a means of distributing malicious software.
The malicious code itself was found in the “Index.js” file within the malicious package. When executed, the code extracted an executable auto-launch file, which is a Trojan based on open source C# code known as discordrat 2.0. This tool is available on GitHub and enables remote control of the target host via Discord. It supports more than 40 commands and can disable antivirus software to facilitate the collection of confidential data.
Ashley Bengi from Reversinglabs highlighted that many hacker tools shared openly under the guise of “educational purposes” often end up being used for real attacks by even inexperienced attackers. Such tools are easily accessible on platforms like GitHub, often with detailed instructions.
This incident involving a malicious package