Updated on 2022-10-12
The Brazil-based LofyGang distributed around 200 malicious npm packages that have been downloaded over thousands of times over the past year, found Checkmarx. Read more: LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks
Overview
For almost a year, a threat actor believed to be located in Brazil has flooded the npm portal with malicious JavaScript packages that tried to pass as legitimate libraries but contained hidden functionality to steal payment card details and credentials for Discord Nitro, gaming, and online streaming accounts from infected hosts.
In a report on Friday, security firm Checkmarx said the threat actor, which goes online as the LofyGang, was behind almost 200 packages uploaded on the npm portal across 53 different developer accounts.
LofyGang has been prodigious this year, but despite this, they’ve also been very hard to spot, at least to their full extent. Checkmarx said that pieces of LofyGang’s cluster of malicious packages were spotted earlier this year by other security firms, such as Sonatype, Securelist, and jFrog, but none saw the larger infrastructure.
But despite their oversized presence on npm, their end goals were not up to par with their determination to infect targets. Checkmarks said that the group used the stolen credentials to merely boost their Discord server. Stolen gaming and streaming account creds were leaked on the Cracked.io hacking forum as a way to draw attention and promote their hacking tools (many of which were widely available via a public GitHub page) and an underground service for selling fake Instagram followers.
Imagine spending all this time flooding the npm portal with fake libraries, compromising developer boxes, and all of it just for some hacker rep.
We often hear about reports of malicious libraries being found on PyPI, npm, or Rubygems, but in recent years, all of these have been linked to teenage hackerism like this or to some lame cryptomining op. For all the hype surrounding supply chain attacks, it appears that threat actors like LofyGang are exhibiting a serious lack of imagination when they manage to land a malicious package on any of these repos for more than a week or two. One reason why these attacks are often spotted early on is because the DevSecOps has quickly matured, and tools to continuously scan public package repos have caught up with attackers’ speed.
Read more
- LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year
- Malicious npm ‘colors’ Typosquats Pack Discord Malware
- LofyLife: malicious npm packages steal Discord tokens and bank card data
- Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed
