New malware campaign spreads via infected open source NPM packages
On July 26, Kaspersky Lab researchers uncovered a malicious campaign dubbed LofyLife. The attackers hunted for Discord user tokens and bank card data linked to their accounts, and also tracked the actions of their victims. The attackers used four infected packages that distributed Volt Stealer and Lofy Stealer malware in the NPM open source repository.
The NPM repository is a public collection of open source packages widely used in external web applications, mobile applications, robots and routers, and for various needs of the JavaScript community. The popularity of the repository increases the danger of the LofyLife campaign, as it could have affected numerous users of the repository.
The detected malicious packages were designed for common tasks such as header formatting, but they contained heavily modified malicious JavaScript and Python code. This made it difficult to analyze the packages published in the repository. The package’s malicious load consisted of two Trojans — the Volt Stealer Trojan written in Python and a more capable JavaScript Trojan dubbed Lofy Stealer.
The attackers used the Volt Stealer to steal Discord tokens and victim IP addresses from infected devices and download them over HTTP. Lofy Stealer is capable of infecting Discord client files and tracking the victim’s activities – when a user logs in, changes their email address or password, enables or disables multi-factor authentication, and adds new payment methods. Moreover, the malware can track the full details of the credit card. The collected information is also uploaded to servers controlled by attackers.
“Developers rely heavily on repositories open source rii – they use them to speed up and increase efficiency in the process of creating IT solutions. However, campaigns like LofyLife show that even authoritative repositories cannot be trusted by default – all code that IT professionals implement into their products falls under their own responsibility. We have added new malware detection tools to our solutions, so their users will be able to find out about the infection and remove malware,” comments Leonid Bezvershenko, cybersecurity expert at Kaspersky Lab.