ClickCease LofyGang distributes 199 trojanized NPM packages to steal data

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

LofyGang distributes 199 trojanized NPM packages to steal data

Obanla Opeyemi

October 17, 2022 - TuxCare expert team

The software security company Checkmarx has uncovered the malicious activities of the threat actor LofyGang, which distributes trojanized and typosquatted packages on the NPM open source repository.

Security researchers discovered 199 rogue packages with thousands of installations in total. The aim of the campaign is to steal credit card data and user accounts related to Discord Nitro, gaming and streaming services, they said.

While the gang has been carrying out the malicious attack for over a year, security researchers including JFrog, Sonatype and Kaspersky have been able to identify numerous parts of the gang’s operation. The report form Checkmarx was however able to bring it under one umbrella.

According to the Checkmarx report, the attacker is believed to be a criminal group of Brazilian origin. Attackers use dock puppet accounts to promote their tools and services on GitHub, YouTube. They are also known to have leaked thousands of Disney+ and Minecraft accounts on underground hacker forums.

The gang uses a Discord server set up on 31 October 2021 to provide technical support and communicate with members.

“LofyGang operators are seen promoting their hacking tools in hacking forums, while some of the tools are shipped with a hidden backdoor. Discord, Repl.it, glitch, GitHub, and Heroku are just a few services LofyGang is using as [command-and-control] servers for their operation,” the researchers said.

The fraudulent packages used by the attackers contain password stealers and Discord-specific malware, some of which are designed for credit card theft. Malicious packages are released through different user accounts, so that other weaponized libraries on the repositories remain untouched even if one of them is detected and removed, which helps to hide the attack on the supply chain.

The attackers also use an insidious technique that keeps the top-level package free of malware, but this depends on another package that introduces the malicious capabilities. LofyGang’s shared hacking tools are also dependent on malicious packages that act as a channel to install persistent backdoors on the operator’s machines.

The sources for this piece include an article in TheHackerNews.

Summary
LofyGang distributes 199 trojanized NPM packages to steal data
Article Name
LofyGang distributes 199 trojanized NPM packages to steal data
Description
The software security company Checkmarx has uncovered the malicious activities of the threat actor LofyGang.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023