The open-source NPM registry, a cornerstone for countless developers, has once again become a hunting ground for cybercriminals, with the discovery of a sophisticated malicious package designed to systematically plunder sensitive user data. A package named “duer-js,” published by a user called “luizaearlyx,” successfully masqueraded as a benign console visibility tool, tricking developers into incorporating it into their projects. Despite its relatively low download count of 528, security researchers are sounding the alarm due to the malware’s advanced, multi-stage attack methodology and its persistent nature. The threat, which identifies itself as “Bada Stealer,” remains a live danger on the NPM platform, posing a significant risk to any developer who might inadvertently install it. This incident underscores a persistent vulnerability within the software supply chain, where the trust placed in open-source components can be exploited to distribute potent malware that targets not only developer credentials but also the personal and financial information of end-users, with a specific focus on the Discord and cryptocurrency communities.
1. Anatomy of a Multi-Stage Attack
The insidious nature of the “duer-js” package lies in its carefully orchestrated, multi-stage attack sequence that goes far beyond a simple data grab. Upon installation, the package executes its initial payload, but its primary function is to act as a dropper for a more potent secondary threat. This second-stage malware is specifically engineered to compromise the Discord desktop application, a popular communication platform for gamers and various online communities. The malware achieves this by injecting malicious code directly into Discord’s core files, specifically targeting the application’s startup process. This technique establishes a powerful persistence mechanism, ensuring the malicious code is executed every single time the user launches Discord. Security analysts who dissected the package noted its sophisticated obfuscation techniques, which were designed to evade detection. They also warned that a simple npm uninstall command is woefully inadequate for removing the infection. Because the malware embeds itself within the Discord application files, it will survive the removal of the original NPM package, continuing to monitor user activity and exfiltrate data long after the developer believes the threat has been neutralized.
Once embedded within the Discord application, the “Bada Stealer” malware begins its comprehensive data harvesting operations without any further user interaction. The compromised application becomes a spy, meticulously scanning for and extracting a wide array of valuable information. The malware is capable of capturing highly sensitive data, including stored payment methods, complete billing information, and critical authentication tokens that could grant an attacker full access to the victim’s account. It goes a step further by seeking out Nitro subscription details, the user’s friend list, and even two-factor authentication (2FA) backup codes. The theft of these backup codes is particularly dangerous, as it allows attackers to bypass one of the most effective security measures available, effectively rendering 2FA useless. This continuous monitoring transforms the trusted Discord client into a persistent gateway for attackers, allowing them to siphon off a steady stream of personal and financial data every time the program is running, all while the user remains completely unaware of the compromise occurring in the background.
2. The Broad Scope of Data Exfiltration
The Bada Stealer’s appetite for data extends far beyond the confines of the Discord application, systematically targeting a wealth of information stored across the victim’s Windows system. The malware initiates its broader theft process by forcefully terminating any running browser and Telegram processes. This aggressive action is designed to unlock database files and other resources that are typically held open while the applications are in use, granting the stealer unfettered access to the sensitive information stored within. It then conducts a thorough scan of popular web browsers, including Chrome, Edge, Brave, Opera, and Yandex. Using the Windows Data Protection API (DPAPI), the malware decrypts and extracts saved passwords, providing attackers with credentials for countless online accounts. Furthermore, it harvests cookies from multiple browser profile directories, which can be used to hijack active login sessions. The stealer also targets autofill data, capturing credit card numbers, expiration dates, and cardholder names in plaintext before they can be properly encrypted and secured by the browser, creating a direct pipeline to the victim’s financial assets.
With credentials and financial data secured, the malware turns its attention to high-value targets in the cryptocurrency and gaming sectors. The stealer is specifically programmed to hunt for the local files associated with the Exodus cryptocurrency wallet, a popular desktop application for managing digital assets. It also scours the system for browser-extension wallets, a primary tool for interacting with decentralized finance, targeting well-known wallets such as MetaMask, BraveWallet, and AtomicWallet. This focus puts users’ digital currency holdings at extreme risk of being drained. Gamers are not spared either, as the malware locates, compresses, and exfiltrates Steam configuration files, which can contain session tokens and other data useful for account takeovers. To ensure the successful delivery of this stolen information, the attackers implemented a robust, two-channel exfiltration system. The primary method utilizes a Discord webhook to transmit the data directly to an attacker-controlled server. As a failsafe, if the webhook communication is blocked or fails, the malware uploads the stolen data to the Gofile cloud storage service, guaranteeing the attackers receive their illicit haul.
3. A Guide to Remediation and Protection
For any individual who installed the “duer-js” package, a thorough and immediate cleanup process was critical to mitigating the damage and preventing further data loss. It was understood that merely uninstalling the NPM package was insufficient, as the malware’s persistence mechanism had to be addressed directly. The recommended first step was to completely close the Discord application and then uninstall it through the Windows Settings or Control Panel. Following this, it was imperative to manually navigate to the %LOCALAPPDATA% directory by typing it into the Run command (Win+R). From there, all folders related to Discord, including “Discord,” “DiscordPTB,” and “DiscordCanary,” had to be deleted to ensure the removal of the injected malicious code. Another crucial step involved checking the Windows Startup folder, located at %APPDATA%MicrosoftWindowsStart MenuProgramsStartup, and deleting any node.exe files found there. Only after these steps were completed was it safe to reinstall Discord from its official website. This comprehensive removal process was necessary to fully eradicate the infection from the system and sever the malware’s connection to the compromised application.