Malicious npm packages steal Discord users’ payment card info

Multiple npm packages are being used in an ongoing malicious campaign to infect Discord users with malware that steals their payment card information.

The malware used in these attacks is a variant of the open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer, according to Kaspersky security researchers Igor Kuznetsov and Leonid Bezvershenko.

"On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager (npm) repository," the researchers said.

"All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign 'LofyLife'."

The malware is automatically deployed after installing the small-sm, pern-valids, lifeculer, or proc-title malicious npm modules.

Once installed, the Volt Stealer variant collects Discord tokens and system information, including the victims' IP addresses.

Lofy Stealer monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information.

Stolen data uploaded to attacker-controlled servers

Once harvested, this data is uploaded to one of several Replit-hosted instances whose addresses are hard-coded within the malware (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).

Kaspersky added that they're still monitoring updates to npm repositories to ensure that all new malicious packages pushing these malware strains are detected and removed.

This is a recurring theme among malicious npm packages, and it's just one of a seemingly endless stream of malware specifically tailored to target Discord users in recent years with information stealers.

For instance, in 2019, malware dubbed Spidey Bot was used to modify the Windows Discord client to backdoor it and deploy an information-stealing trojan.

Malicious npm and PyPI libraries were also used to target Discord users, steal their user tokens and browser information, and install MBRLocker data wiping malware calling itself Monster Ransomware.