The researchers found at the very least 200 malicious npm packages uploaded to the official npm web site by varied sock puppet accounts belonging to LofyGang. These npm packages mimic authentic packages that assist customers work together with the Discord API. LofyGang tips customers into putting in these malicious packages slightly than authentic ones by importing a number of variations of its packages with completely different misspellings of well-liked packages. The group additionally ties its npm packages to lively and respected GitHub repositories so as to lend their malicious packages credibility on the npm web site. An unsuspecting person who by accident inputs a typo when trying to find a authentic package deal could bump into on a list for certainly one of these malicious packages, not discover the misspelling, and find yourself putting in the package deal.
Sadly for many who set up these malicious npm packages, the packages serve to steal customers’ account and bank card credentials. Nonetheless, slightly than instantly containing malicious code, these packages as a substitute depend upon secondary packages which comprise malicious code. Hiding malware in dependencies this fashion signifies that the unique malicious packages are much less more likely to be reported as malicious and faraway from the npm web site. If one of many malicious dependencies is reported and eliminated, the risk actor can merely add a brand new malicious dependency and push out an replace to the unique npm package deal downloaded by the person directing it to depend on this new malicious dependency.
One other avenue for selling the LofyGang’s malicious hacking instruments is the group’s Discord server, which has been in operation since October of 2021. Customers can be part of this Discord server to obtain assist utilizing the instruments. The server additionally encompasses a Discord bot that may grant customers a free subscription to Discord Nitro utilizing stolen bank card credentials. Nonetheless, so as to use the bot, customers have handy over their Discord account credentials, which LofyGang possible provides to the pile of credentials stolen by its malicious packages and instruments. On the finish of the day, Checkmarx’s report makes clear that anybody utilizing LofyGang’s packages, instruments, and providers, finally ends up handing over their account and bank card credentials, whether or not they notice it or not.
