Several campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor called LofyGang.
Checkmarx said it detected 199 rogue packages totaling thousands of installations, with the group operating for over a year with the aim of stealing credit card data as well as user accounts linked to Discord Nitro, games and streaming services.
“LofyGang operators are seen promoting their hacking tools in hacking forums, while some of the tools come with a hidden backdoor,” the software security company said in a report shared with The Hacker News before it was published.
Different parts of the attack puzzle have already been reported by JFrog, Sonatype and Kaspersky (who called it LofyLife), but the latest analysis brings the various operations together under one organizational umbrella that Checkmarx refers to as LofyGang.
Believed to be an organized crime group of Brazilian origin, the attackers have a track record of using sock puppet accounts to advertise their tools and services on GitHub, YouTube, and leaking thousands of Disney+ and Minecraft accounts on underground hacking forums.
It is also known to use a Discord server created almost a year ago on October 31, 2021, to provide technical support and communicate with their members. One of the main offerings is a service that sells fake Instagram followers.
“Discord, Repl.it, glitch, GitHub and Heroku are just a few services LofyGang uses [command-and-control] servers for their operation,” the researchers noted.
Additionally, the fraudulent packages traced back to the group have been found to embed password stealers and Discord-specific malware, some of which are designed to steal credit cards.
To hide the scope of the supply chain attack, the packages are intentionally published through different user accounts so that other weaponized libraries remain unaffected in the repositories even if one of them is discovered and removed by the maintainers.
Furthermore, the adversary has been found to use a sneaky technique where the top-level package is kept free of malware, but relies on another package that introduces the malicious properties.
That’s not all. Even the hacking tools shared by LofyGang on GitHub rely on malicious packages, effectively acting as a conduit to deploy persistent backdoors on the operator’s machines.
The findings are yet another indication that malicious actors are increasingly looking to the open source ecosystem as a stepping stone to expand the scope and effectiveness of their attacks targeting downstream customers.
“Communities are formed around the use of open source software for malicious purposes,” the researchers concluded. “We believe this is the start of a trend that will increase in the coming months.”