Malicious Npm Packages Tapped Again to Target Discord Users

Recent LofyLife campaign steals tokens and infects client files to monitor various user actions, such as log-ins, password changes and payment methods.

Threat actors once again are using the node package manager (npm) repository to hide malware that can steal Discord tokens to monitor user sessions and steal data on the popular chat and collaboration platform, researchers have found.

A campaign discovered this week by Kaspersky researchers is hiding an open-source token logger alongside a novel JavaScript malware in npm packages. The campaign, dubbed LofyLife, is aimed at stealing Discord tokens as well as victims’ IP addresses from infected machines, they said in a blog post on Secure List published Thursday.

Researchers were monitoring open-source repositories on Tuesday when they noticed suspicious activity in the form of four packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote in the post.Infosec Insiders Newsletter

The Python code turned out to be a modified version of the open-source token logger Volt Stealer, while the novel JavaScript malware–dubbed “LofyStealer”–was created to infect Discord client files so threat actors can monitor the victim’s actions, researchers said.

“It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details,” researchers Igor Kuznetsov and Leonid Bezvershenko wrote. “Collected information is also uploaded to the remote endpoint whose address is hard-coded.”

Npm As Supply-Chain Threat

The npm repository is an open-source home for JavaScript developers to share and reuse code blocks that then can be reused to build various web applications. The repository poses a significant supply-chain given that if it’s corrupted, the malicious code is then propagated in any app using it and thus can be used to attack those app’s myriad users.

Indeed, attacking open-source repositories can be an unusually stealthy way for threat actors to target scores of apps and users in one fell swoop. This was made abundantly clear with the now infamous Log4Shell debacle, when a zero-day flaw in the ubiquitous Java logging library Apache Log4j used by countless web apps threatened to break the internet.

“Many people assumed that software created by a vendor was entirely authored by that vendor, but in reality there could be hundreds of third-party libraries making up even the simplest software,” observed Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, in an email to Threatpost.

This broad attack surface has not gone unnoticed by threat actors, who increasingly are targeting open-source repositories to hide malware that can lurk unsuspected across multiple platforms.

“Any attack vector that can reach a significant number of targets, or a number of significant targets is of interest to threat actors,” Casey Bisson, head of product and developer enablement at code-security firm BluBracket, wrote in an email to Threatpost.

Discord in the Crosshairs

Npm has become an especially attractive target for threat actors as it not only has tens of millions of users, but packages hosted by the repository also have been downloaded billions of times, he said.

“It’s used both by experienced Node.js developers and those using it casually as part of other activities,” Bisson observed. “Npm modules are used both in Node.js production applications, and in developer tooling for applications that wouldn’t otherwise use Node. That ubiquitous use among developers makes it a big target.”

Indeed, LofyLife is not the first time threat actors have used npm to target Discord users. In December, researchers at JFrog identified a set of 17 malicious npm packages with varying payloads and tactics that targeted the virtual meeting platform, which is used by 350 million users and enables communication via voice calls, video calls, text messaging and files.

Prior to that in January 2021, other researchers discovered three malicious npm packages from the threat actors behind the CursedGrabber malware aimed at stealing Discord tokens and other data from users of the platform.

Kaspersky, among other security firms, is constantly monitoring updates to npm repositories to ensure that all new malicious packages are detected and removed, researchers said.

Suggested articles