A malicious NPM package named "duer-js" was released by user "luizaearlyx." This package installs "Bada Stealer," a sophisticated infostealer designed for Windows users, particularly developers who use browsers and Discord. Even though there have only been 528 downloads, its multi-stage design presents serious risks because it can steal payment information, tokens, and passwords.

Initial Payload and Obfuscation The core of the package is concealed by index.js in a 64,000-character eval() string that is URI-encoded and decrypted at runtime using key 11. To annoy analysts, the anti-tampering code recognizes modifications and records "Error: the code has been tampered with!" When obfuscated calls are replaced, readable malware near the source is revealed; decoding reveals a string table. First, it terminates the Telegram and browser processes.

Then, for apps like Discord, Discord Canary, and Lightcord, it steals Discord tokens from the %APPDATA% and %LOCALAPPDATA% paths. It retrieves Nitro details, friends, guilds, billing sources, user information (/users/@me), and 2FA backup codes per token. Browsers such as Chrome, Edge, Brave, Opera, and Yandex lose cookies, autofill data, credit card information across profiles, and passwords (from Login Data, decrypted via DPAPI).

An attractively printed sample of code from the index.js entry point (Source: jfrog) Extensions like BraveWallet and MetaMask are targeted, and cryptocurrency wallets like Exodus are zipped and uploaded. System information includes IP from myexternalip.com; steam configuration zips as steam.zip. Data is exfiltrated to a Discord webhook after being saved as Passwords.txt, Cards.txt, etc.

Backup makes use of Gofile.io; it uploads files, retrieves a server from api.gofile.io/servers, and uses a webhook to send download links. When persistence fails, node.exe is copied to Startup without complete arguments. Discord and Secondary Payload Take over Another obfuscated JS is downloaded from hxxps://ghostbin[.]axel[.

]org/paste/yckfb/raw by the first payload. It executes upon app startup, replaces Discord's index.js in %LOCALAPPDATA%, and sends a "Successfully Injected" message to the webhook. This uses webContents to take control of Discord's Electron.debugger.attach("1.3"), keeping an eye on Network.responseReceived. Bada Stealer Delivered by "duer-js" (Source: jfrog) For credentials, it filters /login and/register; for 2FA codes, it filters /mfa/totp and /codes-verification; and for changes, it filters /@me.

Tokens, passwords, and plaintext emails are retrieved from memory by Network.getResponseBody and getRequestPostData.

The second step of decoding strings displays the raw conversion table (Source: jfrog). Payments are also intercepted: PayPal parses card[number], cvc, and exp_month/year for "tokens" URLs. They all exfiltrate to the same webhook.

Self-updates are sourced from the more than two-year-old repository raw.githubusercontent.com/xSalca/Viral/main/index.js. Using npm uninstall duer-js to remove it is insufficient. Delete cookies, browser passwords, Steam credentials, Discord tokens (presumably stolen), and access to cryptocurrency wallets like Exodus. Turn on 2FA everywhere.

To uninstall Discord, close it completely, go to Settings, remove %LOCALAPPDATA%\Discord (as well as variations like DiscordCanary), and then reinstall the official version. Take node.exe out of %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Run an antivirus scan; JFrog Xray identifies it as XRAY-938808.