Inside the fallguys malware that steals your browsing data and gaming IMs; Continued attack on open source software – Security Boulevard

Posted on by

This weekend a report emerged of mysterious npm malware stealing sensitive information from Discord apps and web browsers installed on a users machine.

The malicious component called fallguys lived on npm downloads impersonating an API for the widely popular video game, Fall Guys: Ultimate Knockout. Its actual purpose, however, was rather sinister.

As first reported by ZDNet and analyzed by the npm security team, the component when included in your development builds would run alongside your program, and access the following files:

The file list comprises the local storage leveldb files of different web browsers, such as Chrome, Opera, Yandex, and Brave, along with any locally installed Discord apps.

LevelDB is a key-value storage format mainly used by web browsers to store data especially that relates to a users web browsing sessions.

The fallguys component would pry on these files and upload them to a third-party Discord server, e.g. via webhooks.

Npm removed the malicious package, but fortunately we retain a copy of all components in a secure archive, so the Sonatype Security Research team was able to quickly analyze the malware. In fact, we got this into our data well before the news broke so Nexus users are safe!

In this Nexus Intelligence Insights post, we share a first look inside fallguys.

Vulnerability identifier: sonatype-2020-0774Vulnerability type: Embedded Malicious CodeImpacted package: fallguys as formerly present in npm downloads

CVSS 3.1 Severity Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS3.1 Score: 10 (Critical)

While fallguys package was likely created with malicious intent from the beginning, the package exhibits outright suspicious behavior in version 1.0.6.

There are three files found in version 1.0.6. One is a README which touts the malware being a Fall (Read more...)

Link:

Inside the fallguys malware that steals your browsing data and gaming IMs; Continued attack on open source software - Security Boulevard

Related Posts
This entry was posted in $1$s. Bookmark the permalink.