Duer-js NPM Package Unleashes ‘Bada Stealer’ Malware Targeting Windows and Discord Users
A new and sophisticated malware campaign has surfaced within the NPM package registry, posing significant risks to developers and Windows users alike. The malicious package, named duer-js, was uploaded by a user identified as luizaearlyx and masquerades as a legitimate tool for console visibility. Despite recording only 528 downloads, cybersecurity experts caution that its advanced attack techniques present serious threats to anyone who has integrated it into their projects.
The malware, self-identified as Bada Stealer, remains active on NPM, continuing to jeopardize unsuspecting developers who might incorporate it into their applications. What sets this threat apart is its multi-stage attack strategy. Upon installation, the malware doesn’t merely steal data and vanish; instead, it downloads a secondary malicious payload specifically designed to target Discord users.
This secondary component infiltrates the Discord desktop application by embedding itself into the app’s startup process. This allows it to persistently monitor and exfiltrate sensitive information each time Discord is launched. The malware is capable of capturing payment methods, authentication tokens, and can even circumvent two-factor authentication protections.
Analysts from JFrog Security Research identified the sophisticated nature of the duer-js package after conducting an in-depth analysis of its obfuscation techniques. Their findings revealed that merely uninstalling the package is insufficient to eradicate the infection, as the malware establishes persistence mechanisms that withstand basic removal attempts.
How the Malware Compromises Sensitive Data
The Bada Stealer employs a meticulously crafted information theft process. Upon execution, it terminates active browser and Telegram processes to gain access to locked files. Subsequently, the malware systematically scans the infected system for valuable data across multiple applications.
It specifically targets Discord tokens stored in local databases, extracting not only authentication credentials but also details such as Nitro subscription information, billing data, payment sources, friend lists, and two-factor authentication backup codes.
The malware’s data collection from browsers is equally thorough. It extracts saved passwords from browsers like Chrome, Edge, Brave, Opera, and Yandex by decrypting them using the Windows Data Protection API (DPAPI). Additionally, it harvests cookies from various profile directories and steals autofill data, including credit card numbers, expiration dates, and cardholder names before they are encrypted.
Cryptocurrency wallet users are particularly at risk, as the malware actively seeks out Exodus wallet files and various browser-extension wallets such as MetaMask, BraveWallet, and AtomicWallet. Even Steam users are not exempt, with the malware compressing and exfiltrating Steam configuration files.
All stolen information is transmitted to the attackers through a Discord webhook, with a backup exfiltration method utilizing Gofile cloud storage. This dual-channel approach ensures that even if one communication method fails, the attackers still receive the stolen data. The malware creates text files containing passwords, credit card details, and autofill information before uploading them.
Immediate Remediation Steps
If you have installed the duer-js package, immediate action is required beyond simple uninstallation:
1. Close and Uninstall Discord: Completely close Discord and uninstall it through Windows Settings or Control Panel.
2. Remove Discord-Related Folders: Press Win+R, type %LOCALAPPDATA%, and delete all Discord-related folders, including Discord, DiscordPTB, and DiscordCanary, to eliminate the injected malicious code.
3. Reinstall Discord: Download and reinstall Discord from the official website only.
4. Remove Malicious Startup Entries: Remove any node.exe files from the Windows Startup folder located at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
5. Change Stored Passwords: Change all passwords stored in your browsers.
6. Revoke Discord Tokens: Revoke Discord tokens and enable two-factor authentication if not already active.
7. Review Payment Methods: Review your Discord payment methods for unauthorized changes.
8. Check Cryptocurrency Wallets and Steam Accounts: Inspect cryptocurrency wallets and Steam accounts for any suspicious activity.
This comprehensive cleanup process ensures complete removal of the infection and protects your accounts from further compromise.
