NPM Developers about removing from the package repository due to detection of malicious activity in it. Apart from splash screen in ACSII graphics with the character of the game "Fall Guys: Ultimate Knockout", the specified module included code that tried to transfer some system files via webhook to the Discord messenger. The module was published in early August, but only managed to rack up 288 downloads before being blocked.
The malicious activity was aimed at compromising Windows users. The following files were transferred externally, including a database with navigation history in browsers based on the Chromium engine and the Discord client (it is assumed that the module was blocked at the stage of collecting user data and more dangerous malicious code could have been delivered in one of the updates):
- / AppData / Local / Google / Chrome / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Roaming / Opera \ x20Software / Opera \ x20Stable / Local \ x20Storage / leveldb
- / AppData / Local / Yandex / YandexBrowser / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Local / BraveSoftware / Brave-Browser / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Roaming / discord / Local \ x20Storage / leveldb
Source: opennet.ru