Lofy Stealer

A threatening campaign targeting the Discord data and tokens of its victims has been uncovered by cybersecurity researchers. Information about the operation and the malware threats used by the attackers was published in a report by malware experts. According to their findings, the threat actors are using weaponized npm (Node Package Manager) packages to deliver two different malware - an obfuscated Python code that belongs to a threat known as the Volt Stealer and a JavaScript malware name Lofy Stealer. The attack campaign as a whole is being tracked as LofyLife.

The four corrupted npm modules spread by the hackers are named 'small-sm,' 'pern-valids,' 'lifeculer' or 'proc-title.' After being executed, they will drop the associated malware on the victim's system. The Lofy Stealer is designed specifically to infect the targeted user's Discord client files. Doing so allows the attackers to monitor the victim's activities. To be more precise, Lofy Stealer is capable of detecting when the user logs in to Discord, if they make any changes to the email or password related to the account, and whether MFA (multi-factor authentication) is enabled or disabled. More importantly, Lofy Stealer can recognize when users add a new payment method and will collect all entered payment details.

All harvested data is then transmitted to Replit-hosted servers under the threat actor's control. These addresses of the available serves are hard-coded into the malware threats. Infosec researchers warn that new malicious npm packages might be released by the cybercriminals responsible for the LofyLife operation.