NPM Developers
The malicious activity was aimed at compromising Windows users. The following files were transferred externally, including a database with navigation history in browsers based on the Chromium engine and the Discord client (it is assumed that the module was blocked at the stage of collecting user data and more dangerous malicious code could have been delivered in one of the updates):
- / AppData / Local / Google / Chrome / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Roaming / Opera \ x20Software / Opera \ x20Stable / Local \ x20Storage / leveldb
- / AppData / Local / Yandex / YandexBrowser / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Local / BraveSoftware / Brave-Browser / User \ x20Data / Default / Local \ x20Storage / leveldb
- / AppData / Roaming / discord / Local \ x20Storage / leveldb
Source: opennet.ru