LofyLife: malicious npm packages steal Discord tokens and bank card data

28 Jul 2022

minute read

Authors

On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”.

Description of the proc-title package (Translation: This package correctly capitalizes your titles as per the Chicago manual of style)

The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP. The JavaScript malware we dubbed “Lofy Stealer” was created to infect Discord client files in order to monitor the victim’s actions. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded.

Data is exfiltrated to Replit-hosted instances:

life.polarlabs.repl[.]co
Sock.polarlabs.repl[.]co
idk.polarlabs.repl[.]co

Kaspersky solutions detect the threat with the following verdicts:

HEUR:Trojan.Script.Lofy.gen
Trojan.Python.Lofy.a

We are constantly monitoring the updates to repositories to ensure that all new malicious packages are detected.

Timeline of uploaded packages

Package name	Version	Timestamp (UTC)
small-sm	8.2.0	2022-07-17 20:28:29
small-sm	4.2.0	2022-07-17 19:47:56
small-sm	4.0.0	2022-07-17 19:43:57
small-sm	1.1.0	2022-06-18 16:19:47
small-sm	1.0.9	2022-06-17 12:23:33
small-sm	1.0.8	2022-06-17 12:22:31
small-sm	1.0.7	2022-06-17 03:36:45
small-sm	1.0.5	2022-06-17 03:31:40
pern-valids	1.0.3	2022-06-17 03:19:45
pern-valids	1.0.2	2022-06-17 03:12:03
lifeculer	0.0.1	2022-06-17 02:50:34
proc-title	1.0.3	2022-03-04 05:43:31
proc-title	1.0.2	2022-03-04 05:29:58

We covered the incident in more detail in a private report delivered to customers of our Threat Intelligence Portal.

Authors

LofyLife: malicious npm packages steal Discord tokens and bank card data

Latest Posts

Latest Webinars

Reports

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. We created offline backups of the devices, inspected them and discovered traces of compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Kaspersky analysis of the CloudWizard APT framework used in a campaign in the region of the Russo-Ukrainian conflict.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

LofyLife: malicious npm packages steal Discord tokens and bank card data

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

In search of the Triangulation: triangle_check utility

Operation Triangulation: iOS devices targeted with previously unknown malware

CloudWizard APT: the bad magic story goes on

Bad magic: new APT found in the area of Russo-Ukrainian conflict

How to train your Ghidra

QBot banker delivered through business correspondence

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Two more malicious Python packages in the PyPI

Latest Posts

How cybercrime is impacting SMBs in 2023

LockBit Green and phishing that targets organizations

Dissecting TriangleDB, a Triangulation spyware implant

A bowl full of security problems: Examining the vulnerabilities of smart pet feeders

Latest Webinars

Unveiling the Darknet’s Malware-as-a-Service model

Securing the Fort: How to master cyber incident response in a large company

Cyberthreats to modern automotive industry

Applying ATT&CK to analyze ransomware campaigns

Reports

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

CloudWizard APT: the bad magic story goes on

APT trends report Q1 2023

Subscribe to our weekly e-mails