"Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL.""
"mysql-dumpdiscord (npm), which siphons the contents of developer configuration files like config.json, .env, ayarlar.js, and ayarlar.json to a Discord webhook nodejs.discord (npm), which uses a Discord webhook to likely log alerts (an approach that's not inherently malicious) malinssx, malicus, and maliinn (PyPI), which uses Discord as a C2 server by triggering an HTTP request to a channel every time the packages are installed using "pip install <package name>""
Several malicious packages across npm, PyPI, and RubyGems leverage Discord webhooks as command-and-control channels to transmit stolen data to attacker-controlled webhooks. Discord webhooks allow posting without a bot account or authentication, and webhook URLs are effectively write-only, preventing defenders from reading prior posts by knowing the URL. Identified packages siphon configuration and environment files, trigger HTTP requests on installation, and collect host information and sensitive files like /etc/passwd and /etc/resolv.conf to hard-coded webhooks. Abuse of Discord webhooks reduces attacker infrastructure costs, blends with normal traffic and firewall rules, and enables silent exfiltration during install-time hooks or build scripts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]