A malicious NPM package named duer-js has been discovered targeting Windows users and developers. Disguised as a legitimate console visibility tool, the package is actively distributing Bada Stealer, a sophisticated malware designed to harvest sensitive data from infected systems.
Despite only 528 downloads, its advanced, multi-stage attack strategy poses serious risks to developers and users who unknowingly install it. Once executed, the malware downloads a secondary payload targeting Discord, enabling continuous monitoring and theft of credentials, payment information, and authentication tokens.
This article details the threat, attack mechanisms, and recommended mitigation steps to protect affected systems.
How the ‘duer-js’ Malware Works
Stage 1: Initial Infection
After installation, duer-js executes the Bada Stealer malware, which immediately:
- Terminates browser and Telegram processes to unlock data
- Scans the system for sensitive information
- Establishes persistence mechanisms that survive basic uninstallation
This stage ensures the malware remains active even if the package is removed.
Stage 2: Targeting Discord
The secondary payload specifically targets the Discord desktop application:
- Injects malicious code into Discord’s startup process
- Continuously monitors for tokens, Nitro subscription data, and payment methods
- Extracts two-factor authentication backup codes
The malware exfiltrates data using a Discord webhook, with a backup via Gofile cloud storage, ensuring attackers receive stolen information even if one channel fails.
Data Theft Capabilities
Bada Stealer targets multiple types of sensitive data:
- Discord: Tokens, friends list, Nitro subscription details, billing info, 2FA backup codes
- Browsers (Chrome, Edge, Brave, Opera, Yandex): Saved passwords, cookies, autofill data, credit card information
- Cryptocurrency wallets: Exodus, MetaMask, BraveWallet, AtomicWallet
- Steam: Configuration files and account information
This dual-stage, multi-application approach makes it one of the most comprehensive stealers discovered in the NPM ecosystem.
Detection and Cleanup Steps
If you installed duer-js, immediate action is required:
- Close Discord completely and uninstall it via Windows Settings or Control Panel
- Press Win+R, type
%LOCALAPPDATA%, and delete all Discord-related folders (Discord,DiscordPTB,DiscordCanary) - Reinstall Discord from the official website
- Remove any
node.exefiles from the Startup folder:%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup - Change all passwords stored in browsers
- Revoke Discord tokens and re-enable two-factor authentication
- Review Discord payment methods for unauthorized changes
- Check cryptocurrency wallets and Steam accounts for suspicious activity
Following these steps ensures the malware is fully removed and reduces the risk of further compromise.
Preventive Measures for Developers
- Audit NPM dependencies before adding them to projects
- Avoid installing packages from unknown or unverified publishers
- Use security tools to scan for malicious packages regularly
- Monitor systems for suspicious file creation, startup modifications, and unexpected network traffic
By maintaining strict dependency hygiene, developers can prevent malware like duer-js from infiltrating their systems.
Conclusion
The duer-js NPM package demonstrates how even low-download packages can carry sophisticated malware. Its Bada Stealer payload threatens Discord users, browser accounts, cryptocurrency wallets, and Steam users.
Developers and Windows users must audit installed packages, remove duer-js immediately, and follow a full cleanup procedure to secure their systems. Vigilance and proactive dependency management remain essential in defending against these emerging threats.
