LofyGang distributes 199 trojanized NPM packages to steal data

October 17, 2022 - TuxCare PR Team

The software security company Checkmarx has uncovered the malicious activities of the threat actor LofyGang, which distributes trojanized and typosquatted packages on the NPM open source repository.

Security researchers discovered 199 rogue packages with thousands of installations in total. The aim of the campaign is to steal credit card data and user accounts related to Discord Nitro, gaming and streaming services, they said.

While the gang has been carrying out the malicious attack for over a year, security researchers including JFrog, Sonatype and Kaspersky have been able to identify numerous parts of the gang’s operation. The report form Checkmarx was however able to bring it under one umbrella.

According to the Checkmarx report, the attacker is believed to be a criminal group of Brazilian origin. Attackers use dock puppet accounts to promote their tools and services on GitHub, YouTube. They are also known to have leaked thousands of Disney+ and Minecraft accounts on underground hacker forums.

The gang uses a Discord server set up on 31 October 2021 to provide technical support and communicate with members.

“LofyGang operators are seen promoting their hacking tools in hacking forums, while some of the tools are shipped with a hidden backdoor. Discord, Repl.it, glitch, GitHub, and Heroku are just a few services LofyGang is using as [command-and-control] servers for their operation,” the researchers said.

The fraudulent packages used by the attackers contain password stealers and Discord-specific malware, some of which are designed for credit card theft. Malicious packages are released through different user accounts, so that other weaponized libraries on the repositories remain untouched even if one of them is detected and removed, which helps to hide the attack on the supply chain.

The attackers also use an insidious technique that keeps the top-level package free of malware, but this depends on another package that introduces the malicious capabilities. LofyGang’s shared hacking tools are also dependent on malicious packages that act as a channel to install persistent backdoors on the operator’s machines.

The sources for this piece include an article in TheHackerNews.

Summary