Three malicious software packages have been published to a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications. Any applications corrupted by the code can steal tokens and other information from Discord users, researchers said. The authors are the same operators behind the CursedGrabber Discord malware, the researchers at Sonatype said. It’s unknown how many developers used the packages before they were removed.
Source: https://threatpost.com/discord-stealing-malware-npm-packages/163265/