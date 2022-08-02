Discord users, we have some not-so-great news for you. Reports have it that cybercriminals have found a new way to steal your Discord account. And they are doing this by using npm (node package manager) open-source repository along with a “couple of malware” variants.

According to Kaskpersky, which was the first to spot this campaign, cybercriminals have created four different malicious packages that spread two different malware. The campaign has been dubber LofyLife and it has hackers spreading Volt Stealer and Lofy Stealer malware to Discord users.

These packages are being distributed through the repository, as TechRadar reports, from where they are being adopted by various developers. Once these get integrated, the malware seeks to harvest different kinds of information from the unsuspecting user like Discord tokens, credit card information, along with other sensitive and “potentially identifiable data”.

Kaspersky has pointed out that the malicious malware packages are designed for basic tasks like gaming functions or formatting headlines, but when one digs deeper, it’s a whole different story. Researchers have found “obfuscated malicious JavaScript and Phython code Volt Stealer” written in Python and Lofy Stealer written in JavaScript.

While Volt Stealer harvests Discord tokens from “compromised endpoints” it also copies victims’ IP addresses and uploads them via HTTP. The Lofy Stealer can infect Discord client files and also monitor the victims’ actions. It is also capable of tracking when the user logs in and can change the login details like email and password both. Following this they can change an/or disable multi-factor authentication, add new payment methods like credit card details and upload all of this data to a remote server, as TechRadar explained.

But why Discord?

As TechRadar points out, threat actors “love attacking” Discord because it is the “got-to” platform for gamers, developers, NFT and blockchain aficionados when it comes to communications. Thus it is “filled with potentially lucrative fraud opportunities”.

Reports explain that the npm repository that the cybercriminals are using is a public library of open-source code and it is used by developers to build mobile apps, front-end web apps, routers, and bots. The JavaScript community is reportedly heavily dependent on the npm repository which makes LofyLife “that much more dangerous”.

