Best Top Reviews Online

Return of Malicious Npm Packages to Target Discord Users

A recent LofyLife campaign steals tokens and infects client files to monitor logins, password changes, and payment methods, among other user actions.

Researchers have discovered that threat actors are again using the node package manager (npm) repository to conceal malware that can steal Discord tokens to monitor user sessions and steal data from the popular chat and collaboration platform.

This week, Kaspersky researchers discovered a campaign that conceals an open-source token logger and a novel JavaScript malware within npm packages. The campaign, dubbed LofyLife, aims to steal Discord tokens and IP addresses from infected machines, according to a blog post published Thursday on Secure List.

Tuesday, while monitoring open-source repositories, researchers noticed suspicious activity in the form of four packages containing “highly obfuscated malicious Python and JavaScript code” in the npm repository, they wrote in a blog post.

The Python code turned out to be a modified version of the open-source token logger Volt Stealer, while the novel JavaScript malware, dubbed “LofyStealer,” was designed to infect Discord client files so that threat actors could monitor the victim’s actions, according to researchers.

Researchers Igor Kuznetsov and Leonid Bezvershenko wrote, “It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details.” “Information collected is also uploaded to a remote endpoint whose address is hard coded.”

Npm As Supply-Chain Threat

The npm repository is an open-source location where JavaScript developers can share and reuse code blocks that can then be re-used to create a variety of web applications. The repository poses a significant supply-chain risk because if it is compromised, malicious code is propagated in every app that uses it and can therefore be used to attack the app’s numerous users.

Indeed, attacking open-source repositories can be an unusually stealthy method for threat actors to target a large number of apps and users simultaneously. This was made abundantly clear by the now-famous Log4Shell debacle, in which a zero-day vulnerability in the ubiquitous Java logging library Apache Log4j used by countless web applications threatened to bring down the internet.

Tim Mackey, the principal security strategist at the Synopsys Cybersecurity Research Center, remarked in an email to Threatpost, “Many people believed that software created by a vendor was entirely authored by that vendor, but in reality, even the simplest software could contain hundreds of third-party libraries.”

This expansive attack surface has not escaped the notice of threat actors, who are increasingly targeting open-source repositories to conceal malware that can lurk undetected across multiple platforms.

Threat actors are interested in any attack vector that can reach a significant number of targets or several significant targets, according to Casey Bisson, head of product and developer enablement at code-security firm BluBracket.

Conflict in the Crosshairs

In addition to having tens of millions of users, packages hosted by the repository have also been downloaded billions of times, he said, making Npm a particularly attractive target for threat actors.

Bisson remarked, “It is utilized by both experienced Node.js developers and those using it casually as part of other activities.” “Both Node.js production applications and developer tooling for applications that wouldn’t otherwise use Node.js utilize Npm modules. Its widespread use among developers makes it a major target.”

Indeed, this is not the first time that threat actors have exploited npm to target Discord users. In December, researchers at JFrog discovered 17 malicious npm packages with varying payloads and tactics that targeted a virtual meeting platform used by 350 million users and enabled voice calls, video calls, text messages, and file sharing.

Before that, in January 2021, other researchers discovered three malicious npm packages from the threat actors behind the CursedGrabber malware, which were designed to steal Discord tokens and other user data.

Researchers reported that Kaspersky, along with other security firms, constantly monitors updates to npm repositories to ensure that all new malicious packages are detected and removed.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of