- #Opera gx stealing data software#
- #Opera gx stealing data code#
Most importantly and severely, the actor is executing a main.py file (line 23) that is still unknown to us.The actor is trying to keep the length of the file similar to the original version to maintain the visual and functional similarities to the original package.
#Opera gx stealing data code#
After the first 28 lines that are inserted by the malicious actor, the rest of the code is identical to the original colors package. The actor is injecting the malicious code at the beginning of the ‘colors.js’ file, replacing the comments made by the original author. The packages also look identical in the npm registry, and it’s hard to distinguish between them:įigure 3 – npm registry page of both packages The codes only differ in the marked area. On the left, we see the malicious package ‘personal colorss’, while on the right we see the original ‘colors’. In addition, the actor took advantage of the fact that the beginning of the original file contains comments by the author to inject the malicious part while keeping the file similar in length and content:įigure 2 – the only visual difference between the legit and the malicious package On the left, is the malicious version and on the right is the original version:įigure 1 – colors.js file from both legit and malicious versions of ‘colors’.īoth code snippets are indistinguishable, as are the rest of the files in the package, which gives the malicious version of ‘colors’ the option to act as if it is the original one, with all its capabilities. Let’s focus on the visual similarities first. As you will later see in the non-obfuscated version, the package collects user information that is needed for the execution of another malicious Python script. It contains the non-obfuscated version of the malicious code in version 0.0.1 and the obfuscated version of the exact same code in version 0.0.2. The malicious package has two versions, 0.0.1 and 0.0.2. The main file of both the original colors package and the malicious version is lib/colors.js. Unfortunately, underneath the interface, a malicious python file is being executed to steal Discord tokens. Due to the immutability of the interface in the malicious package, the users will be able to use the capabilities of ‘colors’ when using ‘personal-colorss’. The personal-colorss package seems to be acting as the chart-topping original colors package which has 20 million weekly downloads. This time, however, the disguise was not easily recognizable. We also observed that the attacker was using similar code to other Discord tokens-stealing malicious packages we have encountered during the last few months. In this case, we observed a JavaScript file that executes a Python script with the actual malicious content. We can see that attackers are mixing technologies. While this is not something we haven’t seen before, this package is using a new approach for a better disguise and execution of its malicious behavior. The package is malicious and is stealing discord tokens. On the day of this blog’s publication, the package is still available in npm and is simple to mistake with the original colors package, not only due to its name. Mend Supply Chain Defender blocked the personal-colorss package 39 minutes after it was published into npm on May 9th, 2022. As attackers and their methods become more sophisticated every day, they are using ever-more devious ways to hide the fact that you installed a malicious package. Everyone would like to see a red screen and alarm coming out of the computer in such a case, but sadly, it doesn’t always work that way with most supply chain attacks. #Opera gx stealing data software#
Tiredness, dirty keyboard, or software issues may lead to typing some letters twice. All developers are prone to mistakes that leave them open to typosquatting attacks.
0 kommentar(er)
