A newly discovered malicious NPM package, dubbed duer-js , is being used to distribute an advanced information‑stealing malware that primarily targets Windows systems and Discord users.
Published by the user “luizaearlyx”, the package contains a custom infostealer calling itself “bada stealer”, and remains available at the time of reporting, which raises serious concerns for developers who may have integrated it into their projects.
Although its download count is relatively low, the breadth of data it targets makes each infection potentially severe.
The main entry point of the package is an index.js file that immediately stands out because of a single extremely long line of JavaScript wrapped inside an eval() call, roughly tens of thousands of characters in length.
This blob is heavily obfuscated and includes nested layers of URI‑encoding, dynamic evaluation, and XOR‑based string decoding, all designed to slow analysis and frustrate attempts to understand or safely run the code.
The JFrog security research team recently uncovered a sophisticated malicious package called duer-js published on NPM by the user luizaearlyx.
The first decoding stage reconstructs another script that checks whether the code has been modified; if tampering is detected, it prints an error message and halts, effectively acting as an anti‑analysis safeguard against researchers.
Duer-js NPM Package Discovered
Behind the obfuscation, the code builds a string‑conversion table that maps small function calls to real variable and module names.
By decoding this table using a runtime XOR key and then replacing the indirection functions with their resolved values, analysts can recover a version of the malware that is close to its original source form.
This technique allows the attacker to keep the logic fairly readable to themselves while hiding it from static inspection tools and quick manual review.
Once executed, bada stealer aggressively kills certain processes and begins harvesting sensitive data from the host.
It targets major Chromium‑based browsers such as Chrome, Edge, Brave, Opera, and Yandex, extracting passwords, cookies, autofill entries, and stored credit card data from their local databases and Web Data files.
The stealer also searches for crypto‑wallet traces and extension data, including Exodus and popular browser‑extension wallets, as well as zipping and exfiltrating Steam configuration files.
System information such as hostname, OS version, RAM, CPU count, and public IP address is also collected to give the attacker context about each victim machine.
Discord is a central target: the malware enumerates multiple Discord variants installed on Windows and extracts tokens and user data from LevelDB storage under both %APPDATA% and %LOCALAPPDATA%.
Per token, it can access user profile information, Nitro status, billing sources, friend lists, guilds, and even search for 2FA backup codes stored on disk.
Bada Stealer Malware
The collected data is formatted into rich embeds and sent directly to a hard‑coded Discord webhook, with fields summarizing the counts of cookies, passwords, credit cards, autofills, wallets, and Steam data exfiltrated from the victim.
To improve reliability, the attacker added a secondary exfiltration channel using the legitimate file‑sharing service Gofile as a backup.
duer-js malicious package flow (Source : JFrog).The malware dynamically queries the Gofile API for an available server, uploads stolen archives, then receives a download URL that it forwards to the same Discord webhook so the operator can retrieve the data later.
Users should assume their Discord tokens and saved browser credentials are compromised, enable two‑factor authentication wherever possible, and scan systems for additional suspicious artifacts.
This layered exfiltration makes takedown and blocking more difficult, since it mixes malicious traffic with traffic to a legitimate hosting platform.
Crucially, duer-js does not stop at local data theft. The initial payload downloads a second, similarly obfuscated JavaScript payload from an external hosting service and injects it into the Discord desktop application’s Electron environment by overwriting Discord’s own index.js file.
When the user next opens Discord, this second payload runs inside the client, attaches a debugger to webContents, and listens for specific network events such as /login, /register, /mfa/totp, and /codes-verification.
By using APIs like Network.getResponseBody and Network.getRequestPostData, it can capture plaintext emails, passwords, session tokens, 2FA codes, backup codes, and even live payment details including card number, CVC, and expiry before they are transmitted to legitimate servers.
The second stage also includes a rudimentary persistence attempt and a self‑update mechanism pointing to a GitHub‑hosted script line, suggesting the malware family has existed in some form for at least two years.
However, simply uninstalling the malicious NPM package does not remove the injected Discord code or any additional files copied into startup locations, meaning victims must treat affected systems as compromised.
Recommended remediation includes uninstalling duer-js, revoking and rotating all potentially exposed credentials and tokens, fully removing and reinstalling Discord after deleting its local data directories, and manually clearing any leftover node.exe or related executables from Windows startup folders.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
