An ongoing malicious campaign is making use of multiple npm packages. This campaign is dubbed LofyLife to infect Discord users with malware that will steal the user’s payment card information.
This malware is a variant of the open-source and Python-based Volt Stealer token logger, according to Kaspersky security. Kaspersky researchers Igor Kuznetsov and Lenoid Bezvershenko stated this.
The researchers asserted that they used the internal automated system for monitoring open-source repositories on 26 July. They identified four suspicious packages in the Node Package Manager (npm) repository.
These packages contained highly obfuscated malicious Python and Javacript code. The researchers dubbed this malicious campaign ‘LofyLife’. The malware gets automatically deployed after the installation of the small-sm, pern-valids, lifeculer, or proc-title malicious npm modules.
After its installation, it can and does collect Discord tokens and system information. This information also includes the victims’ IP addresses.
This action is executed by monitoring the victims’ actions. These actions ranges from logins, credential change attempts to multi factor authentication toggles and addition of new payment methods to steal Discord accounts and complete payment information.
The data is uploaded to one of several Replit-hosted instances whose addresses are hard-coded within the malware after it is harvested.
This is just one endless stream of malware specifically designed to target Discord users in the recent years in the hands of information stealers.
