Analysis of Cross-Platform NPM Stealer Using Discord Webhooks

A recent discovery by security researchers highlights the persistent threat of malicious packages within the Node.js ecosystem. According to SANS Internet Storm Center, an obfuscated JavaScript stealer has been identified that specifically targets sensitive user data across multiple operating systems. This malware, often distributed via a Supply Chain Attack or deceptive NPM packages, demonstrates high sophistication in its data-gathering capabilities and anti-analysis measures.

The analyzed file (SHA256: 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9) was found to be heavily obfuscated using the javascript-obfuscator library. This technique is designed to hinder static analysis by transforming the source code into a complex, unreadable format, making it difficult for traditional EDR solutions to identify malicious intent through simple signature matching. Unlike many vulnerabilities that rely on a specific CVE, this threat leverages the legitimate functionality of the Node.js runtime to execute unauthorized actions.

NPM Malware Static Analysis Techniques and Indicators

During a static analysis, researchers observed that the script is cross-platform, utilizing the process.platform property to tailor its execution path. By identifying whether the host is running on Windows (win32), Linux (linux), or macOS (darwin), the malware can locate application data directories specific to each OS. For instance, on Windows, it targets the %AppData% folder, while on Unix-like systems, it searches within ~/.config or Library/Application Support directories.

Security professionals researching how to detect Node.js credential stealer variants should look for common IoC patterns such as hardcoded Discord webhook URLs. This specific malware uses Discord as its C2 infrastructure, exfiltrating stolen data via HTTP POST requests to these webhooks. This method is increasingly popular among threat actors because it blends in with legitimate Discord traffic, often bypassing basic firewall rules.

Targeted Data and Exfiltration Tactics

The stealer’s primary objective is the collection of high-value credentials and personal information. The following data points are prioritized by the script:

• Discord Data: It attempts to extract authentication tokens, user badges, email addresses, and phone numbers. These tokens are particularly valuable as they allow attackers to bypass multi-factor authentication and hijack accounts.
• Browser Credentials: The malware targets popular Chromium-based browsers, including Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi. It specifically hunts for stored passwords, cookies, and credit card information.
• Cryptocurrency Wallets: Browser extensions and desktop applications for wallets such as Metamask, Exodus, Atomic, and Coinbase are targeted for asset theft.
• System Metadata: To provide context for the attacker, the script gathers the victim’s IP address (via the ipify.org API), country, hostname, and operating system version.

To avoid detection in automated sandboxes, the script includes logic to detect virtualization. It checks for common sandbox indicators such as specific MAC addresses, CPU core counts, or the presence of debugger-related files. If the environment is deemed hostile or virtualized, the malware terminates execution before revealing its final TTP profile.

Defensive Recommendations

For a SOC or security team, mitigating these threats requires a multi-layered approach. Modern SIEM platforms should be configured to alert on outbound traffic to Discord Webhook URLs from unusual processes, especially those originating from Node.js or developer environments. Furthermore, mapping these activities to the MITRE ATT&CK framework—specifically focusing on T1539 (Steal Web Session Cookie) and T1555 (Credentials from Web Browsers)—can help in developing more resilient detection logic.

Organizations should enforce strict package management policies. This includes using npm audit to scan for known issues and utilizing private registries where packages are vetted before being made available to developers. While this specific stealer was not tied to a confirmed Phishing campaign in the source material, it is common for such scripts to be delivered via malicious pull requests or dependency confusion attacks.