September 22, 2023

Researchers have discovered an attack campaign named Lofylife that uses malicious npm packages, targeting Discord users to steal Discord tokens and users’ card data.

The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.

It detects when a user logs in, changes email or password, enables/disables MFA, and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded.


The campaign is a piece of evidence against the developer community and downstream customers of Dev environment, unwittingly downloading malware as they use open-source packages to accelerate time-to-market.

Data is exfiltrated to Replit-hosted instances:

  • life.polarlabs.repl[.]co
  • Sock.polarlabs.repl[.]co
  • idk.polarlabs.repl[.]co

With more than 11 million users using npm, the potential audience of a successful supply chain attack is significant compared to targeting a specific company.

This research was conducted and documented by Kaspersky researchers

Leave a Reply

%d bloggers like this: