Two days ago, on July 26, Kaspersky experts discovered a new malicious campaign called 'LofyLife' using the internal automated system monitoring open source repositories. The public collection of open source code packages is thus compromised.
The campaign uses four malicious packages that proliferate 'Volt Stealer' and 'Lofy Stealer' malware in the open-source npm repository. They collect various information from their victims, including Discord tokens and credit card information, and spy on them over time.
Infected open source code packages
The npm repository is a public collection of open-source code packages that are widely used in front-end web apps, mobile apps, robots, and routers, and also fulfill myriad needs from the JavaScript community. The popularity of this repository makes LofyLife campaign even more dangerous as it could potentially affect numerous users of the repository.
The identified malicious repositories appeared to be packages used for common tasks like formatting headlines or certain game features. However, they contained heavily obfuscated malicious JavaScript and Python code. This made it difficult to analyze when uploading to the repository. The malicious payload consisted of the Volt Stealer malware, written in Python, and the Lofy Stealer JavaScript malware, which has many features.
Wanted: Discord tokens and credit card details
Volt Stealer was used to steal Discord tokens and victims' IP addresses from infected computers and upload them via HTTP. A new development by the attackers, the Lofy stealer can infect Discord client files and monitor the victim's actions. The malware detects when a user logs in, changes email or password details, enables or disables multi-factor authentication, and adds new payment methods, including full credit card details. The information collected is also uploaded to the remote endpoint.
Leonid Bezvershenko, security researcher in Kaspersky's global research and analysis team (GReAT) comments on the detected campaign as follows:
“Developers rely heavily on open source code repositories - they use them to make IT solution development faster and more efficient. Overall, they make a significant contribution to the development of the IT industry. However, as the LofyLife campaign shows, even reputable repositories cannot be trusted by default – any code that a developer puts into their products, including open-source code, is their own responsibility. We have added identifiers of this malware to our products so that users using our solutions can determine if they have been infected and remove the malware.” Kaspersky products detect LofyLife malware as Trojan.Python.Lofy.a, Trojan .Script.Lofy.gen.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/