• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
malicious npm packages tapped again to target discord users

Malicious Npm Packages Tapped Again to Target Discord Users

You are here: Home / Latest Cyber Security Vulnerabilities / Malicious Npm Packages Tapped Again to Target Discord Users
July 29, 2022

Latest LofyLife marketing campaign steals tokens and infects customer documents to observe a variety of user actions, these types of as log-ins, password improvements and payment techniques.

Menace actors the moment once again are using the node package supervisor (npm) repository to cover malware that can steal Discord tokens to monitor user periods and steal information on the well-liked chat and collaboration platform, scientists have located.

A marketing campaign identified this 7 days by Kaspersky scientists is hiding an open up-supply token logger alongside a novel JavaScript malware in npm packages. The marketing campaign, dubbed LofyLife, is aimed at thieving Discord tokens as well as victims’ IP addresses from infected equipment, they claimed in a web site submit on Secure List published Thursday.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Researchers were monitoring open up-resource repositories on Tuesday when they seen suspicious exercise in the kind of four offers that contains “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote in the article.

The Python code turned out to be a modified variation of the open-supply token logger Volt Stealer, even though the novel JavaScript malware–dubbed “LofyStealer”–was established to infect Discord client documents so danger actors can watch the victim’s actions, scientists mentioned.

“It detects when a user logs in, modifications email or password, permits/disables multi-factor authentication (MFA) and adds new payment methods, including finish financial institution card details,” researchers Igor Kuznetsov and Leonid Bezvershenko wrote. “Collected data is also uploaded to the distant endpoint whose deal with is hard-coded.”

Npm As Source-Chain Threat

The npm repository is an open-resource household for JavaScript developers to share and reuse code blocks that then can be reused to make a variety of web programs. The repository poses a important provide-chain presented that if it is corrupted, the malicious code is then propagated in any app using it and therefore can be made use of to attack all those app’s myriad users.

Without a doubt, attacking open-source repositories can be an unusually stealthy way for danger actors to goal scores of applications and users in one fell swoop. This was manufactured abundantly apparent with the now infamous Log4Shell debacle, when a zero-working day flaw in the ubiquitous Java logging library Apache Log4j utilised by numerous web applications threatened to split the internet.

“Many people today assumed that software program produced by a seller was fully authored by that vendor, but in truth there could be hundreds of 3rd-party libraries building up even the simplest software program,” noticed Tim Mackey, principal security strategist at the Synopsys Cybersecurity Exploration Heart, in an email to Threatpost.

This broad attack floor has not absent unnoticed by risk actors, who significantly are concentrating on open-resource repositories to hide malware that can lurk unsuspected across multiple platforms.

“Any attack vector that can access a important amount of targets, or a number of significant targets is of curiosity to risk actors,” Casey Bisson, head of product or service and developer enablement at code-security firm BluBracket, wrote in an email to Threatpost.

Discord in the Crosshairs

Npm has become an especially attractive goal for risk actors as it not only has tens of millions of consumers, but packages hosted by the repository also have been downloaded billions of situations, he explained.

“It’s used both of those by expert Node.js developers and those employing it casually as component of other functions,” Bisson noticed. “Npm modules are utilised equally in Node.js generation applications, and in developer tooling for purposes that would not usually use Node. That ubiquitous use amongst developers makes it a big goal.”

Certainly, LofyLife is not the 1st time danger actors have employed npm to focus on Discord users. In December, scientists at JFrog discovered a set of 17 malicious npm offers with different payloads and practices that targeted the digital conference system, which is utilised by 350 million end users and allows interaction through voice calls, online video phone calls, text messaging and information.

Prior to that in January 2021, other researchers identified 3 destructive npm offers from the risk actors driving the CursedGrabber malware aimed at thieving Discord tokens and other info from consumers of the platform.

Kaspersky, amongst other security corporations, is regularly checking updates to npm repositories to ensure that all new destructive packages are detected and eliminated, researchers explained.


Some components of this write-up are sourced from:
threatpost.com

Previous Post: «over a dozen android apps on google play store caught Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware
Next Post: FCC Warns of Rising Robotext Scams Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Italy’s Privacy Watchdog Blocks ChatGPT Amid Privacy Concerns
  • Modular “AlienFox” Toolkit Used to Steal Cloud Service Credentials
  • New Azure Flaw “Super FabriXss” Enables Remote Code Execution Attacks
  • Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability
  • MongoDB CISO: Don’t be afraid to simplify important issues for executives
  • Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam
  • Deep Dive Into 6 Key Steps to Accelerate Your Incident Response
  • Lazarus blamed for 3CX attack as byte-to-byte code match discovered
  • New Cylance Ransomware strain emerges, experts speculate about its notorious members
  • 3CX Supply Chain Attack — Here’s What We Know So Far

Copyright © TheCyberSecurity.News, All Rights Reserved.