By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    Cross-Site Scripting: The Real WordPress Supervillain
    Cross-Site Scripting: The Real WordPress Supervillain
    12 months ago
    Hackers targeting your smartphone
    12 months ago
    Improved Version of CTB-Locker (Onion Ransomware) Emerges
    12 months ago
    Latest News
    Beware of scammers! Dangerous apps in the App Store
    7 hours ago
    How To Limit Login Attempts on WordPress (+ Should You?)
    1 day ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023)
    1 day ago
    Two privilege escalation vulnerability in Simple Membership Plugin
    2 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Cloudflare Notification about increase in ransom DDoS threats
    12 months ago
    Windows 11 build 25169 outs with new features
    12 months ago
    How to enable Bluetooth on Windows 11
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    8 months ago
    Now you can speed up any video in your browser
    8 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    9 months ago
  • How To
    How ToShow More
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    10 hours ago
    Privacy-preserving measurement and machine learning
    Privacy-preserving measurement and machine learning
    10 hours ago
    Encrypted Client Hello – the last puzzle piece to privacy
    Encrypted Client Hello – the last puzzle piece to privacy
    10 hours ago
    Reminder: Enable two-factor authentication wherever you have it. This business
    14 hours ago
    ​​Know exactly when your data is transferred to GoogleIn a world where our data is permanent
    14 hours ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    Fake System Update Screens
    12 months ago
    YouTube Subscriptions Tab Filters
    12 months ago
    Russian KFC Instagram account hacked
    12 months ago
    Latest News
    How to enable extensions for Google Bard AI
    8 hours ago
    Window 11 Copilot: 10 Best tips and tricks
    15 hours ago
    How to create AI images with Cocreator on Paint for Windows 11
    2 days ago
    How to install September 2023 update with 23H2 features for Windows 11
    3 days ago
  • Glossary
  • My Bookmarks
Reading: LofyLife: malicious packages in npm repository
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

LofyLife: malicious packages in npm repository

Vitus White
Last updated: 13 October
Vitus White 12 months ago
Share
5 Min Read

Open-source code is a blessing for the IT industry — it helps programmers save time and build products faster and more efficiently by eliminating the need of writing repetitive common code. To facilitate this knowledge sharing, there are repositories — open platforms where any developer can publish their own packages with their code to speed up the development process for other people.

Contents
So what is LofyLife?How to protect from malicious packages

Such repositories serve countless needs of the IT community and are widely used in development of basically any modern software: web app, mobile app, smart appliance, robot, you name it. Most popular packages get millions of weekly downloads and are at the foundation of many applications, from pet projects to well-known tech startups.

By some estimates 97% of code in modern web applications comes from npm modules. However, their popularity and openness in uploading any packages inevitably attracts cybercriminals. For example, in 2021 unknown attackers compromised several versions of a popular JavaScript library, UAParser.js, by injecting malicious code. This library was downloaded 6 to 8 million times every week. By infecting it, cybercriminals were able to mine cryptocurrency and steal confidential information such as browser cookies, passwords and operating system credentials from infected devices.

And here’s more recent example: on July 26, 2022, our researchers discovered a new threat that appeared in the open-source npm repository that they dubbed LofyLife.

So what is LofyLife?

Using an internal automated system for monitoring open-source repositories, our researchers identified a malicious campaign LofyLife. The campaign employed four malicious packages spreading Volt Stealer and Lofy Stealer malware in the npm repository to gather various information from victims, including Discord tokens and linked credit card information, and to spy on them over time.

The identified malicious packages appeared to be used for ordinary tasks such as formatting headlines or certain gaming functions. The descriptions of the packages were incomplete and overall it looks like the attackers did not put too much effort into them. Yet, the ‘formatting headlines’ package was in Brazilian Portuguese with a #brazil hashtag, which points to the attackers looking to target users based in Brazil. Other packages were presented in English, so they could be targeting users from other countries.

Description of infected package called

Description of one of the infected packages called “proc-title” (Translation from Portuguese: This package correctly capitalizes your titles as per the Chicago manual of style)

These packages, however, contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer — an open-source malicious script, and a JavaScript malware dubbed Lofy Stealer, which has numerous features.

Volt Stealer was used to steal Discord tokens from the infected machines along with the victim’s IP address, and upload them via HTTP. The Lofy Stealer, a new development from the attackers, is able to infect Discord client files and monitor the victim’s actions — detecting when a user logs in, changes registered e-mail or password, enables or disables multi-factor authentication and adds new payment methods (in which case it steals full credit card details). It uploads collected information to the remote endpoint.

How to protect from malicious packages

Open-source repositories allow anyone to publish their own packages, and not all of them are completely secure. For example, attackers can impersonate popular npm packages by changing one or two letters in the name to fool the user into thinking they are downloading the genuine package. Therefore, we recommend to be on guard and not to treat packages as trusted.

In general, development or build environments are convenient targets for attackers trying to organize supply chain attacks. That means such environments urgently require strong antimalware protection such as Kaspersky Hybrid Cloud Security. Our products successfully detect LofyLife attack with verdicts HEUR:Trojan.Script.Lofy.gen and Trojan.Python.Lofy.a.

If you want to be among the first to know about new malicious campaigns spreading via open-source code, subscribe to threat intelligence feeds and reports, such as the ones provided via Threat Intelligence Portal.


Source: kaspersky.com

Translate this article

TAGGED: Authentication, Malware, PoC, Security, Software, Source code, Targeted Attack, Threat, Threats, Transport Layer Security
Vitus White October 13, 2022 October 7, 2022
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Cloudflare now uses post-quantum cryptography to talk to your origin server
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps 10 hours ago
Privacy-preserving measurement and machine learning
Privacy-preserving measurement and machine learning
Apps 10 hours ago
Encrypted Client Hello – the last puzzle piece to privacy
Encrypted Client Hello – the last puzzle piece to privacy
Apps 10 hours ago
Beware of scammers! Dangerous apps in the App Store
Threats 10 hours ago
How to enable extensions for Google Bard AI
News 11 hours ago

You Might Also Like

Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps

Cloudflare now uses post-quantum cryptography to talk to your origin server

10 hours ago
Privacy-preserving measurement and machine learning
Apps

Privacy-preserving measurement and machine learning

10 hours ago
Encrypted Client Hello – the last puzzle piece to privacy
Apps

Encrypted Client Hello – the last puzzle piece to privacy

10 hours ago
Threats

Beware of scammers! Dangerous apps in the App Store

10 hours ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
How to install September 2023 update with 23H2 features for Windows 11
Critical Vulnerability in Forminator Plugin
How to get the latest Windows 11 innovations
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
Previous Next

10 New Stories

Reminder: Enable two-factor authentication wherever you have it. This business
​​Know exactly when your data is transferred to GoogleIn a world where our data is permanent
​​Fake correspondence with the iPhone interfaceIn a world where digital communication is
​​Let's find out who is watching your Instagram stories from a fake Have you ever wondered
Window 11 Copilot: 10 Best tips and tricks
How To Limit Login Attempts on WordPress (+ Should You?)
Previous Next
Hot News
Cloudflare now uses post-quantum cryptography to talk to your origin server
Privacy-preserving measurement and machine learning
Encrypted Client Hello – the last puzzle piece to privacy
Beware of scammers! Dangerous apps in the App Store
How to enable extensions for Google Bard AI
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?