bada stealer

Bada Stealer is a Windows-targeting information-stealing malware delivered via a malicious npm package, “duer-js” (published by npm user “luizaearlyx”), and self-identifies in code as “bada stealer.” The package uses heavy multi-stage JavaScript obfuscation (including a very long eval()-wrapped payload, nested URI-encoding, and XOR-based string decoding) and includes anti-tampering logic intended to hinder analysis.

On execution, Bada Stealer aggressively terminates certain processes (including browser and Telegram processes) and harvests sensitive data from the host. It targets Discord heavily: it enumerates multiple Discord variants (discord, discordcanary, discordptb, discorddevelopment, lightcord), extracts tokens from LevelDB data under %APPDATA% and %LOCALAPPDATA%, and uses those tokens to query Discord endpoints to collect account/user information (e.g., /users/@me), Nitro type, billing/payment sources (/billing/payment-sources), friends, and guilds. It also searches for Discord 2FA backup codes by looking for “discord_backup_codes” on disk.

It also steals data from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex), including passwords (from “Login Data”/password databases, decrypted with Windows DPAPI where applicable), cookies (from Network\Cookies and Network\LxnyCookies), and autofill/credit-card data (from “Web Data”). It enumerates multiple browser profiles (Default, Profile 1–5, Guest). Additional collection includes cryptocurrency wallet artifacts (including Exodus wallet data and browser-extension wallet data via extension settings paths), Steam configuration (zipping “C:\Program Files (x86)\Steam\config”), and system metadata such as hostname, OS version, uptime, RAM, CPU count, username, working directory, temp directory, and external/public IP.

Exfiltration is primarily performed via an attacker-controlled Discord webhook (the report provides: hxxps://discord.com/api/webhooks/1455324432548499496/6oMVbi2PYDxrBiOtHe2tpBSUOdBJpz2RDEiwLkHUqeqJbgIPiONHafMP5tHXYjAVK2R3). A secondary exfiltration path uses the legitimate GoFile service by querying https://api.gofile.io/servers and uploading to https://<server>.gofile.io/uploadFile, then sending the resulting download URL back to the same Discord webhook.

The malware is multi-stage: the first-stage downloads a second-stage JavaScript payload from hxxps://ghostbin.axel.org/paste/yckfb/raw and persists by overwriting Discord Desktop’s local index.js within Discord application directories under %LOCALAPPDATA%, causing execution on Discord startup. The injected Discord component abuses Electron’s webContents.debugger API to intercept network events and capture plaintext credentials, MFA codes, session tokens, and payment card details in real time from endpoints including /login, /register, /mfa/totp, /mfa/codes-verification, and /@me, and exfiltrates to the same webhook. The injected payload includes self-update logic referencing https://raw.githubusercontent.com/xSalca/Viral/main/index.js.

The report notes that uninstalling the npm package alone is insufficient due to Discord injection/persistence. JFrog reported the package had 528 downloads and detections in JFrog Xray/JFrog Curation under ID XRAY-938808. The report also provides a second-stage payload hash: a91dd2e6a5ab21b8dd3bac7fc9be928b0764075fa71e33bc5ecd2f237b1f82c3.