Security researchers have identified a malicious npm package that an attacker designed to steal web browser files and Discord gaming instant messages. This is not the first attempt of its kind, and it looks like the project has been online for quite some time.
Npm packages are usually JavaScript libraries, and developers regularly use them in various projects. While these libraries are generally loaded directly in browsers, it’s possible to integrate them into apps as well. The widespread use of such libraries makes the npm packages a common target, so attackers constantly try to compromise them.
