Security researchers have discovered yet another supply chain attack campaign using malicious npm packages, this time targeting Discord users.
Kaspersky said it identified four suspicious packages in the popular npm repository. It has named the campaign, which features malicious, obfuscated Python and JavaScript code, LofyLife.
The purpose of the campaign appears to be to steal Discord tokens and users’ card data.
“The Python malware is a modified version of an open source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP,” said Kaspersky.
“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded.”
The campaign is yet another example of a growing threat to the developer community and downstream customers – of devs unwittingly downloading malware as they use open source packages to accelerate time-to-market.
Garwood Pang, senior security researcher at Tigera, explained that stolen Discord tokens could be leveraged in follow-on spear-phishing attacks on victims' friends.
“Npm provides one of the most popular package managers for JavaScript. This allows developers access to a huge library of open source packages to enhance their code. However, due to the ease of use and the amount of listing, an inexperienced developer can easily import malicious packages without their knowledge,” he warned.
“With more than 11 million users using npm, the potential audience of a successful supply chain attack is significant compared to targeting a specific company.”
That has made npm an increasingly popular target. Earlier this month, security researchers discovered more than two dozen npm modules containing obfuscated JavaScript code designed to steal form data from the apps they were deployed to.