Researchers have discovered an attack campaign named Lofylife that uses malicious npm packages, targeting Discord users to steal Discord tokens and users’ card data.
The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.
It detects when a user logs in, changes email or password, enables/disables MFA, and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded.
The campaign is a piece of evidence against the developer community and downstream customers of Dev environment, unwittingly downloading malware as they use open-source packages to accelerate time-to-market.
Data is exfiltrated to Replit-hosted instances:
With more than 11 million users using npm, the potential audience of a successful supply chain attack is significant compared to targeting a specific company.
This research was conducted and documented by Kaspersky researchers