A recent LofyLife campaign infects client files and obtains tokens to track user activity including logins, password changes, and payment methods.

Researchers have discovered that threat actors are once more concealing malware that can steal Discord tokens in order to monitor user sessions and collect data on the well-known chat and collaboration platform by leveraging the node package manager (npm) repository.

A campaign that Kaspersky researchers found this week disguised a unique JavaScript virus together with an open-source token logger in npm packages. According to a blog post on Secure List published on Thursday, the LofyLife campaign’s goal is to steal Discord tokens from affected PCs as well as the IP addresses of victims.

On Tuesday, researchers were keeping an eye on open-source repositories when they discovered four packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository.

In contrast to the unique JavaScript malware known as “LofyStealer,” which was developed to infect Discord client files so that threat actors can watch the victim’s actions, researchers found that the Python code was actually a modified version of the open-source token logger Volt Stealer.

Researchers Igor Kuznetsov and Leonid Bezvershenko noted, “It recognizes when a user signs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Additionally, the remote endpoint’s hard-coded address receives the collected data.

Npm As Supply-Chain Threat

The JavaScript community’s open-source home for sharing and reusing code snippets that may be used to create a variety of web apps is the npm repository. The repository presents a substantial supply-chain risk since, if it is compromised, any app that uses it will spread the malicious code, making it possible to attack the countless users of those apps.

In fact, hacking open-source repositories can be an incredibly covert way for threat actors to simultaneously target a large number of apps and consumers. This was well demonstrated by the now-famous Log4Shell fiasco, in which the internet was in danger due to a zero-day vulnerability in the widely used Java logging library Apache Log4j, which is utilized by several web apps.

According to Tim Mackey, lead security strategist at the Synopsys Cybersecurity Research Center, “Many people assumed that software created by a vendor was fully authored by that vendor, but in reality, there may be hundreds of third-party libraries making up even the most basic software.”

Threat actors, who increasingly target open-source repositories to store malware that can lurk undetected across numerous platforms, have taken note of this wide attack surface.

Casey Bisson, head of product and developer enablement at code-security company BluBracket, wrote in an email to Threatpost, “Any attack route that can reach a considerable number of targets, or a number of significant targets, is of interest to threat actors.”

Discord in the Crosshairs

Since Npm has tens of millions of users and packages housed by the repository have been downloaded billions of times, he added, it has become a particularly alluring target for threat actors.

Both seasoned Node.js engineers and those using it casually as part of other activities use it, according to Bisson. “Both Node.js production applications and developer tools for applications that wouldn’t normally use Node.js employ Npm modules. It’s a significant target because developers use it so frequently.

In fact, threat actors have utilized npm to target Discord users before, including LofyLife.

JFrog researchers discovered a group of 17 malicious npm packages in December that targeted the virtual meeting platform, which is used by 350 million people and allows for communication via voice calls, video calls, text messages, and files. The malicious npm packages used a variety of payloads and tactics.

Before that, in January 2021, other researchers found three malicious npm packages from the threat guys responsible for the CursedGrabber virus that were designed to steal Discord tokens and other information from platform users.

Researchers claimed Kaspersky, among other security companies, continuously monitors updates to npm repositories to make sure that all new dangerous packages are found and eliminated.