An ongoing malicious campaign, dubbed LofyLife, has been spotted using malicious npm packages to infect Discord users with malware. The attackers are using four npm packages to steal payment card information.
The malicious npm packages
According to Kaspersky researchers, the attackers have developed malware using a variant of the open-source Volt Stealer token logger and Lofy Stealer.
The malware is deployed automatically after installing the modules, named pern-valids, lifeculer, small-sm, or proc-title npm.
The aim of the attack
Once installed, Volt Stealer collects Discord tokens and system details such as victims' IP addresses.
Lofy Stealer monitors the victims' actions, including Discord logins, attempts to change credentials, MFA toggles, or the newly added payment methods to steal Discord accounts and payment details.
Once the data is collected, it is uploaded to one of the Replit-hosted instances, whose addresses are hard-coded inside the malware (e.g., sock[.]polarlabs[.]repl[.]co and life[.]polarlabs[.]repl[.]co).
The researchers have stated that they're still monitoring updates to npm repositories to make sure all new malicious packages spreading these malware strains are detected and stopped.
The active targeting of the npm repository to push malicious code-laden packages can give rise to increased supply chain attacks. Therefore, users are suggested to vet and perform due diligence on third-party modules. Before upgrading, ensure to review the changelog and release notes of the upgraded version.