Malicious Npm Packages Tapped Again to Target Discord Users

Threat actors once again are using the node package manager (npm) repository to hide malware that can steal Discord tokens to monitor user sessions and steal data on the popular chat and collaboration platform, researchers have found. A campaign discovered this week by Kaspersky researchers is hiding an open-source token logger alongside a novel JavaScript malware in npm packages. The campaign, dubbed LofyLife, is aimed at stealing Discord tokens as well as victims’ IP addresses from infected machines, they said in a blog post on Secure List published Thursday. Researchers were monitoring open-source repositories on Tuesday when they noticed suspicious activity in the form of four packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote in the post. The Python code turned out to be a modified version of the open-source token logger Volt Stealer, while the novel JavaScript malware–dubbed “LofyStealer”–was created to infect Discord client files so threat actors can monitor the victim’s actions, researchers said. “It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details,” researchers Igor Kuznetsov and Leonid Bezvershenko wrote. “Collected information is also uploaded to the remote endpoint whose address is hard-coded.” Npm As Supply-Chain Threat The npm repository is an open-source home for JavaScript…