Malicious npm Packages Used in Siphoning Off Discord Tokens, Card Data

LofyLife: Malicious npm Packages Used in Siphoning Off Discord Tokens, Card Data

The malicious NPM packages used in this supply chain attack can steal Discord tokens and financial data.

Discord, as you may already know, is a VoIP and instant messaging social platform. It is used by millions of users across the globe which makes it a lucrative target for cybercriminals. Just this week, it was reported that hackers are using bots on Discord and Telegram data

Now, Kaspersky researchers have discovered a malicious new campaign, which they have dubbed LofyLife. They discovered this campaign on 26 July through the internal automated system for monitoring open-source repositories. 

Kaspersky found four suspicious packages in the Node Package Manager (NPM) repository, all of which contained malicious JavaScript and Python code. These packages distributed Volt Stealer and Lofy Stealer malware in the open-source NPM repository.

The objective of this campaign is to collect sensitive user data, including Discord tokens, credit card details, and spying on the users.

What is an NPM Repository?

It is a publicly accessible collection of open-source code packages. The repository is widely used in front-end web applications, routers, mobile apps, and robots and serves the demanding JavaScript community. Its popularity makes the LolyLife campaign dangerous because it can affect millions of users of NPM repositories.

  1. New YTStealer Malware is Hijacking YouTube Channels
  2. 6 official Python repositories plagued with cryptomining malware
  3. Cybercriminals hit malware authors with malicious NPM packages
  4. CISA warns of trojanized versions of JavaScript library’s NPM package
  5. GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms

Analysis of the Malicious Packages

The malicious packages identified in the NPM repository featured obfuscated codes. The Python malware is reportedly a modified version of Volt Stealer open-source token logger. This malware steals Discord tokens from compromised devices. It can also steal the victim’s IP address and upload it over HTTP.

Conversely, the JavaScript malware, dubbed Lofy Stealer, infects Discord client files to spy on the victims’ activities. It can detect when the user has logged in, changed email or passwords, enabled or disabled MFA (multi-factor authentication), added a new payment mechanism such as new bank card details, etc. The malware uploaded the stolen data to a remote endpoint having a hard-coded address.

Malicious npm Packages Used in Siphoning Off Discord Tokens, Card Data
The screenshot shared by Kaspersky shows the proc-title package (Translation: This package correctly capitalizes your titles as per the Chicago manual of style)

According to Kaspersky’s blog post, these malicious repositories are designed as packages for simple tasks like formatting headlines or gaming features. But, these contain obfuscated, malicious JavaScript and Python code, which makes it hard to analyze them when uploaded to the repository.

Possible Dangers

The stolen Discord tokens may be leveraged in spear-phishing attacks on the victim’s contacts since even a novice developer can import malicious packages without alerting the user. That’s because the NPM provides a massive library of open-source packages for code enhancement. These packages are easy to use, so these have become a popular target.

More Malware News

  1. Teen “Hackers” on Discord Selling Malware for Quick Cash
  2. QBot Malware Exploiting Windows Calculator to Compromise Devices
  3. Microsoft Office Most Exploited Software in Malware Attacks – Report
  4. Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
  5. Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool
Related Posts