On July 26, using the internal automated system for monitoring open-source repositories, Kaspersky researchers identified a malicious campaign dubbed LofyLife. The campaign employed 4 malicious packages spreading Volt Stealer and Lofy Stealer malware in the open-source npm repository to gather various information from victims, including Discord tokens and credit card information, and to spy on them over time.

The npm repository is a public collection of open-source code packages widely used in front-end web apps, mobile apps, robots and routers, and also to serve countless needs of the JavaScript community. Its popularity makes the LofyLife campaign even more dangerous, as it could potentially have affected numerous users of the repository.

The identified malicious repositories appeared to be packages used for ordinary tasks such as formatting headlines or certain gaming functions, however they contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer, and a JavaScript malware dubbed Lofy Stealer, which possesses numerous features.

Volt Stealer was used to steal Discord tokens from the infected machines along with the victim’s IP address, and upload them via HTTP. The Lofy Stealer, a new development from the attackers, is able to infect Discord client files and monitor the victim's actions - detecting when a user logs in, changes email or password details, enables or disables multi-factor authentication and adds new payment methods, including full credit card details. Collected information is also uploaded to the remote endpoint.

“Developers rely heavily on open-source code repositories – they use them to make IT-solution developments faster and more efficient, and significantly contribute to the development of the IT industry as a whole. As the LofyLife campaign shows, however, even reputable repositories cannot be trusted by default – all code, including open-source code, that a developer injects into his products becomes their own responsibility. We’ve added detections of this malware to our products, so users who run our solutions will be able to identify whether they have been infected and remove the malware,” comments Leonid Bezvershenko, security researcher at Kaspersky’s Global Research and Analysis Team.

Kaspersky products detect LofyLife malware as Trojan.Python.Lofy.a, Trojan.Script.Lofy.gen.

Read more details of the campaign on Securelist.

-Ends-

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.