Security researchers at Kaspersky recently uncovered a LofyLife campaign that steals tokens and infects client files, allowing them to monitor certain user actions such as logins, password changes, and payment methods. The campaign targets Discord users via the node package manager (NPM) repository. In addition to the aforementioned capabilities, the attacker can also steal information related to multi-factor authentication. Kaspersky noticed the campaign on Tuesday after detecting suspicious activity originating from four packages containing obfuscated malicious Python and JavaScript code. After investigating, the researchers found that the Python code was a version of the open-source token logger Volt Stealer.
Researchers at Kaspersky stated that the npm repository acts as an open-source space for JavaScript developers to share and reuse code blocks in building different web applications. If corrupted, the repository poses a significant risk as the supply-chain aspect of the site means that the malicious code could be propagated in various apps. Attacking open-source repositories is a stealthy way for threat actors to target numerous apps with just one action, injecting or depositing the malicious code. Security companies like Kaspersky continue to monitor these repositories to ensure that malicious code is identified and removed.
Read More: Malicious Npm Packages Tapped Again to Target Discord Users