A recent LofyLife campaign steals tokens & infects client files to monitor various user actions, such as logins, password changes & payment methods.
Threat players once again are using the node package manager (npm) repository to hide malware that can steal Discord tokens to monitor user sessions & steal data on the popular chat & collaboration platform, researchers have discovered.
Token Logger
A campaign found this week by Kaspersky researchers is hiding an open-source token logger alongside a novel JavaScript malware in npm packages. The campaign, dubbed ‘LofyLife’, is aimed at stealing Discord tokens as well as victims’ IP addresses from infected machines, they revealed in a blog post on Secure List published Thurs.
Researchers were monitoring open-source repositories on Tues. when they noticed suspicious activity by 4 packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote.
LofyStealer
The Python code was a modified version of the open-source token logger Volt Stealer, whilst the new JavaScript malware–dubbed “LofyStealer”–was created to infect Discord client files so threat players can monitor the victim’s actions, researchers stated.
“It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) & adds new payment methods, including complete bank card details,” researchers Igor Kuznetsov & Leonid Bezvershenko wrote. “Collected information is also uploaded to the remote endpoint whose address is hard-coded.”
Supply-Chain Threat
The npm repository is an open-source home for JavaScript developers to share & reuse code blocks that then can be reused to build various web applications.
The repository poses a significant supply-chain given that if it is corrupted, the malicious code is then propagated in any app using it & thus can be used to attack those app’s various users.
Attacking open-source repositories can be an unusually stealthy way for threat players to target scores of apps & users in one go.
This was made very clear with the now infamous Log4Shell debacle, when a zero-day flaw in the ubiquitous Java logging library Apache Log4j used by countless web apps threatened to ‘break the internet’.
3rd-Party Libraries
“Many people assumed that software created by a vendor was entirely authored by that vendor, but in reality there could be 100s of 3rd-party libraries making up even the simplest software,” observed Tim Mackey, Principal Security Strategist at the Synopsys Cyber-security Research Centre.
This broad attack-surface has not gone unseen by threat players, who increasingly are targeting open-source repositories to hide malware that can hide unsuspected across multiple platforms.
“Any attack vector that can reach a significant number of targets, or a number of significant targets is of interest to threat actors,” Casey Bisson, Head of Product & Developer Enablement at code-security firm BluBracket, wrote.
Discord
Npm has become an especially attractive target for threat players as it not only has 10s of millions of users, but packages hosted by the repository also have been downloaded billions of times, he outlined.
“It’s used both by experienced Node.js developers & those using it casually as part of other activities,” Bisson observed. “Npm modules are used both in Node.js production applications, & in developer tooling for applications that would not otherwise use Node. That ubiquitous use among developers makes it a big target.”
17 Malicious Platforms
LofyLife is not the 1st time threat players have used npm to target Discord users. In Dec., researchers at JFrog identified a set of 17 malicious npm packages with varying payloads & tactics that targeted the virtual meeting platform, which is used by 350m users & enables communication via voice calls, video calls, text messaging & files.
Also, in Jan. 2021, other researchers discovered 3 malicious npm packages from the threat players behind the CursedGrabber malware aimed at stealing Discord tokens & other data from users of the platform.
Kaspersky, among other security firms, is always monitoring updates to npm repositories to ensure that all new malicious packages are detected & removed, researchers outlined.