Skip to Content

LofyGang runs amok in the npm ecosystem with minimal gains

Updated on 2022-10-12

The Brazil-based LofyGang distributed around 200 malicious npm packages that have been downloaded over thousands of times over the past year, found Checkmarx. Read more: LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks


For almost a year, a threat actor believed to be located in Brazil has flooded the npm portal with malicious JavaScript packages that tried to pass as legitimate libraries but contained hidden functionality to steal payment card details and credentials for Discord Nitro, gaming, and online streaming accounts from infected hosts.

In a report on Friday, security firm Checkmarx said the threat actor, which goes online as the LofyGang, was behind almost 200 packages uploaded on the npm portal across 53 different developer accounts.

LofyGang has been prodigious this year, but despite this, they’ve also been very hard to spot, at least to their full extent. Checkmarx said that pieces of LofyGang’s cluster of malicious packages were spotted earlier this year by other security firms, such as Sonatype, Securelist, and jFrog, but none saw the larger infrastructure.

LofyGang runs amok in the npm ecosystem with minimal gains

But despite their oversized presence on npm, their end goals were not up to par with their determination to infect targets. Checkmarks said that the group used the stolen credentials to merely boost their Discord server. Stolen gaming and streaming account creds were leaked on the hacking forum as a way to draw attention and promote their hacking tools (many of which were widely available via a public GitHub page) and an underground service for selling fake Instagram followers.

Imagine spending all this time flooding the npm portal with fake libraries, compromising developer boxes, and all of it just for some hacker rep.

We often hear about reports of malicious libraries being found on PyPI, npm, or Rubygems, but in recent years, all of these have been linked to teenage hackerism like this or to some lame cryptomining op. For all the hype surrounding supply chain attacks, it appears that threat actors like LofyGang are exhibiting a serious lack of imagination when they manage to land a malicious package on any of these repos for more than a week or two. One reason why these attacks are often spotted early on is because the DevSecOps has quickly matured, and tools to continuously scan public package repos have caught up with attackers’ speed.

Read more

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.