Miscreants aim to cause Discord discord with malicious npm packages

2022-08-02 09:31

Cybercriminals continue to use npm packages to drop malicious packages on unsuspecting victims, most recently to steal Discord login tokens, bank card data, and other user information from infected systems.

Details of the latest npm campaign, dubbed "LofyLife" by Kaspersky threat intelligence hunters, comes at the same time that GitHub - which owns NPM the compny, and in turn is owned by Microsoft - unveiled an array of enhancements to npm security in the wake several high-profile incidents involving malicious npm packages.

The Kaspersky researchers, Igor Kuznetsov and Leonid Bezvershenko, wrote in a report late last week that they identified four suspicious packages in the npm repository, all of which held highly obfuscated JavaScript and Python code.

Given the high number of JavaScript packages hosted by npm for developers, it's not surprising that it has become a target for cybercriminals wishing to disrupt the software supply chain.

Once a miscreant has broken into the account of an npm package maintainer and manipulated their library code to include malware, or uploads a new malicious package to lure devs into using the code, the malicious scripts can start making their way into apps, and run on victims and developers' computers.

All npm packages were re-signed, and GitHub added a new npm CLI command for auditing the integrity of the package.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/02/npm_lofylife_discord_kaspersky/

#NPM