A recent LofyLife campaign infects client files and obtains tokens to track user activity including logins, password changes, and payment methods.
Researchers have discovered that threat actors are once more concealing malware that can steal Discord tokens in order to monitor user sessions and collect data on the well-known chat and collaboration platform by leveraging the node package manager (npm) repository.
Researchers Igor Kuznetsov and Leonid Bezvershenko noted, “It recognizes when a user signs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Additionally, the remote endpoint’s hard-coded address receives the collected data.
Npm As Supply-Chain Threat
In fact, hacking open-source repositories can be an incredibly covert way for threat actors to simultaneously target a large number of apps and consumers. This was well demonstrated by the now-famous Log4Shell fiasco, in which the internet was in danger due to a zero-day vulnerability in the widely used Java logging library Apache Log4j, which is utilized by several web apps.
According to Tim Mackey, lead security strategist at the Synopsys Cybersecurity Research Center, “Many people assumed that software created by a vendor was fully authored by that vendor, but in reality, there may be hundreds of third-party libraries making up even the most basic software.”
Threat actors, who increasingly target open-source repositories to store malware that can lurk undetected across numerous platforms, have taken note of this wide attack surface.
Casey Bisson, head of product and developer enablement at code-security company BluBracket, wrote in an email to Threatpost, “Any attack route that can reach a considerable number of targets, or a number of significant targets, is of interest to threat actors.”
Discord in the Crosshairs
Since Npm has tens of millions of users and packages housed by the repository have been downloaded billions of times, he added, it has become a particularly alluring target for threat actors.
Both seasoned Node.js engineers and those using it casually as part of other activities use it, according to Bisson. “Both Node.js production applications and developer tools for applications that wouldn’t normally use Node.js employ Npm modules. It’s a significant target because developers use it so frequently.
In fact, threat actors have utilized npm to target Discord users before, including LofyLife.
JFrog researchers discovered a group of 17 malicious npm packages in December that targeted the virtual meeting platform, which is used by 350 million people and allows for communication via voice calls, video calls, text messages, and files. The malicious npm packages used a variety of payloads and tactics.
Before that, in January 2021, other researchers found three malicious npm packages from the threat guys responsible for the CursedGrabber virus that were designed to steal Discord tokens and other information from platform users.
Researchers claimed Kaspersky, among other security companies, continuously monitors updates to npm repositories to make sure that all new dangerous packages are found and eliminated.