Skip links

Miscreants aim to cause Discord discord with malicious npm packages

Cybercriminals continue to use npm packages to drop malicious packages on unsuspecting victims, most recently to steal Discord login tokens, bank card data, and other user information from infected systems.

Details of the latest npm campaign, dubbed “LofyLife” by Kaspersky threat intelligence hunters, comes at the same time that GitHub – which owns NPM the compny, and in turn is owned by Microsoft – unveiled an array of enhancements to npm security in the wake several high-profile incidents involving malicious npm packages.And it’s needed

“Any attack vector that can reach a significant number of targets – or a number of significant targets – is of interest to threat actors,” Casey Bisson, head of product and developer enablement at code security vendor BluBracket, told The Register, adding that npm has tens of millions of users and tens of billions of hosted package downloads.

“NPM doesn’t just provide an attack vector to large numbers of targets; the targets themselves are especially interesting. Enterprises and individual developers both often have greater resources than the average population, and lateral attacks after gaining a beachhead in a developer’s machine or enterprise systems are generally also rather fruitful.”

The Kaspersky researchers, Igor Kuznetsov and Leonid Bezvershenko, wrote in a report late last week that they identified four suspicious packages in the npm repository, all of which held highly obfuscated JavaScript and Python code. They put all of those under the LofyLife banner.

The Python malware is a modified iteration of Volt Stealer, an open-source token logger. According to Kaspersky, the Python code is designed to steal Discord tokens and IP addresses from infected machines and upload them through HTTP.

“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions,” the researchers wrote. “It detects when a user logs in, changes email or password, enables/disables multi-factor authentication … and adds new payment methods, including complete bank card details.”

The malware is hidden in four malicious npm modules: small-sm, pern-valids, lifeculer, and proc-title. These were dressed up to appear to be useful, innocent libraries that developers then pull into their applications and execute.

Once running on a machine, the malware collects information from the system and uploads it to a remote endpoint whose address is hard-coded, Team Kaspersky wrote. Data, such as people’s Discord login tokens, is exfiltrated to instances hosted on Replit: life.polarlabs.repl[.]co, Sock.polarlabs.repl[.]co, and idk.polarlabs.repl[.]co.

Given the high number of JavaScript packages hosted by npm for developers, it’s not surprising that it has become a target for cybercriminals wishing to disrupt the software supply chain. Once a miscreant has broken into the account of an npm package maintainer and manipulated their library code to include malware, or uploads a new malicious package to lure devs into using the code, the malicious scripts can start making their way into apps, and run on victims and developers’ computers.

Software supply chains have long been targets of attackers, particularly those targeting frameworks like shopping carts or development tooling, according to Tim Mackey, principal security strategist at Synopsis’ Cybersecurity Research Center.

“What we’re seeing recently is a recognition that attacks we used to categorize as malware or as a data breach are in reality compromises of the trust organizations place in the software they’re both creating and consuming,” Mackey told The Register. “Many people assumed that software created by a vendor was entirely authored by that vendor, but in reality, there could be hundreds of third-party libraries making up even the simplest software.”

Such libraries “are effectively suppliers within the software supply chain for the application, but the decision to use any given supplier was made by a developer solving a feature problem and not by a businessperson focused on business risks,” he said.

Easy pickings getting harder

Garwood Pang, senior security researcher at container and Kubernetes security specialist Tigera, told The Register that it appears that “this malware is targeting inexperienced developers (ie students) running local instances of node. Targeting Discord provides a lot of reach. Stolen Discord tokens can be leveraged for spear phishing attempts to the victims’ friends.”

The detection of LofyLife comes as GitHub makes a few changes to npm. That includes a streamlined login and publish experience in the npm CLI and the ability to connect GitHub and Twitter accounts to npm. In addition, all npm packages were re-signed, and GitHub added a new npm CLI command for auditing the integrity of the package.

GitHub also is making enhanced two-factor authentication generally available on NPM. GitHub in May announced a public beta release of 2FA and improvements fueled by user suggestions were incorporated.

The org also noted that developers have long been able to include GitHub and Twitter handles on their npm profiles to connect the identity of an npm account to that on other platforms, but that the data was a free-form text field that wasn’t validated or verified. Linking the accounts through official integrations with both GitHub and Twitter ensures that verified account data is included on npm profiles.

“We will no longer be showing the previously unverified GitHub or Twitter data on public user profiles, making it possible for developers to audit identities and trust that an account is who they say they are,” GitHub’s Myles Borins and Monish Mohan wrote when announcing the enhancements. “Having a verified link between your identities across platforms significantly improves our ability to do account recovery. This new verified data lays the foundation for automating identity verification as part of account recovery.”

Eventually GitHub will no not recognize the legacy data, but right now will continue to honor it to ensure users aren’t locked out of their accounts. ®