Kaspersky researchers using the internal automated system for monitoring open-source repositories have identified a malicious campaign dubbed LofyLife.
The campaign employs four malicious packages spreading Volt Stealer and Lofy Stealer malware in the open-source npm repository to gather various information from victims, including Discord tokens and credit card information, and to spy on them over time.
Its popularity makes the LofyLife campaign even more dangerous, as it could potentially have affected numerous users of the repository.
Volt Stealer was used to steal Discord tokens from the infected machines along with the victim’s IP address, and upload them via HTTP. The Lofy Stealer, a new development from the attackers, is able to infect Discord client files and monitor the victim's actions - detecting when a user logs in, changes email or password details, enables or disables multi-factor authentication and adds new payment methods, including full credit card details.
Collected information is also uploaded to the remote endpoint.