Cybercriminals continue to use npm packages to drop malicious packages on unsuspecting victims, most recently to steal Discord login tokens, bank card data, and other user information from infected systems.
Details of the latest npm campaign, dubbed “LofyLife” by Kaspersky threat intelligence hunters, comes at the same time that GitHub – which owns NPM the compny, and in turn is owned by Microsoft – unveiled an array of enhancements to npm security in the wake several high-profile incidents involving malicious npm packages.And it’s needed
“Any attack vector that can reach a significant number of targets – or a number of significant targets – is of interest to threat actors,” Casey Bisson, head of product and developer enablement at code security vendor BluBracket, told The Register, adding that npm has tens of millions of users and tens of billions of hosted package downloads.
“NPM doesn’t just provide an attack vector to large numbers of targets; the targets themselves are especially interesting. Enterprises and individual developers both often have greater resources than the average population, and lateral attacks after gaining a beachhead in a developer’s machine or enterprise systems are generally also rather fruitful.”
The Python malware is a modified iteration of Volt Stealer, an open-source token logger. According to Kaspersky, the Python code is designed to steal Discord tokens and IP addresses from infected machines and upload them through HTTP.
The malware is hidden in four malicious npm modules: small-sm, pern-valids, lifeculer, and proc-title. These were dressed up to appear to be useful, innocent libraries that developers then pull into their applications and execute.
Once running on a machine, the malware collects information from the system and uploads it to a remote endpoint whose address is hard-coded, Team Kaspersky wrote. Data, such as people’s Discord login tokens, is exfiltrated to instances hosted on Replit: life.polarlabs.repl[.]co, Sock.polarlabs.repl[.]co, and idk.polarlabs.repl[.]co.
Software supply chains have long been targets of attackers, particularly those targeting frameworks like shopping carts or development tooling, according to Tim Mackey, principal security strategist at Synopsis’ Cybersecurity Research Center.
“What we’re seeing recently is a recognition that attacks we used to categorize as malware or as a data breach are in reality compromises of the trust organizations place in the software they’re both creating and consuming,” Mackey told The Register. “Many people assumed that software created by a vendor was entirely authored by that vendor, but in reality, there could be hundreds of third-party libraries making up even the simplest software.”
Such libraries “are effectively suppliers within the software supply chain for the application, but the decision to use any given supplier was made by a developer solving a feature problem and not by a businessperson focused on business risks,” he said.
Easy pickings getting harder
Garwood Pang, senior security researcher at container and Kubernetes security specialist Tigera, told The Register that it appears that “this malware is targeting inexperienced developers (ie students) running local instances of node. Targeting Discord provides a lot of reach. Stolen Discord tokens can be leveraged for spear phishing attempts to the victims’ friends.”
The detection of LofyLife comes as GitHub makes a few changes to npm. That includes a streamlined login and publish experience in the npm CLI and the ability to connect GitHub and Twitter accounts to npm. In addition, all npm packages were re-signed, and GitHub added a new npm CLI command for auditing the integrity of the package.
GitHub also is making enhanced two-factor authentication generally available on NPM. GitHub in May announced a public beta release of 2FA and improvements fueled by user suggestions were incorporated.
The org also noted that developers have long been able to include GitHub and Twitter handles on their npm profiles to connect the identity of an npm account to that on other platforms, but that the data was a free-form text field that wasn’t validated or verified. Linking the accounts through official integrations with both GitHub and Twitter ensures that verified account data is included on npm profiles.
“We will no longer be showing the previously unverified GitHub or Twitter data on public user profiles, making it possible for developers to audit identities and trust that an account is who they say they are,” GitHub’s Myles Borins and Monish Mohan wrote when announcing the enhancements. “Having a verified link between your identities across platforms significantly improves our ability to do account recovery. This new verified data lays the foundation for automating identity verification as part of account recovery.”
Eventually GitHub will no not recognize the legacy data, but right now will continue to honor it to ensure users aren’t locked out of their accounts. ®