LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data

2022-10-07 12:59

Multiple campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor dubbed LofyGang.

Checkmarx said it discovered 199 rogue packages totaling thousands of installations, with the group operating for over a year with the goal of stealing credit card data as well as user accounts associated with Discord Nitro, gaming, and streaming services.

What's more, the fraudulent packages traced back to the group have been found to embed password stealers and Discord-specific malware, some of which are designed to steal credit cards.

To conceal the scale of the supply chain attack, the packages are intentionally published through different user accounts so that other weaponized libraries remain unaffected on the repositories even if one of them is spotted and removed by the maintainers.

The adversary has been found using a sneaky technique wherein the top-level package is kept free of malware but have it depend on another package that introduces the malicious capabilities.

Even the hacking tools shared by LofyGang on GitHub depend on malicious packages, effectively acting as a conduit to deploy persistent backdoors on the operator's machines.

News URL

https://thehackernews.com/2022/10/lofygang-distributed-200-malicious-npm.html

#creditcard #NPM