A data-stealing software supply chain attack went unchecked for over a year.
So say researchers with security vendor Checkmarx, who uncovered a collection of nearly 200 poisoned NPM packages that could be traced back to a single organized cybercrime operation. Known as "LofyGang," the crew deals in stolen credit cards and streaming service credentials, according to Checkmarx.
The researchers said that by distributing the NPM malware, the cybercriminals infected applications and, in turn, harvested account and card data from end users. The pilfered data was then handed out on a Discord forum that was said to have about 14,000 users.
The researchers noted that among the premium accounts to be traded on the server were credentials for Discord's own Nitro service.
In addition to trafficking in stolen cards and account credentials, the group is also developing and distributing their in-house hacking tools on GitHub.
Tzachi Zorenshtain, head of supply chain security and CxDustico at Checkmarx, told TechTarget Editorial that it is rare for an attack to go undiscovered for so long.
"There were earlier reports by multiple companies flagging some of those packages, but it took extensive research to discover the entire operation," Zorenshtain said in an email. "It is not currently the norm to share evidence (i.e., malicious packages found) in the open-source ecosystem."
The Checkmarx team traced the LofyGang crew back to Brazil, though they note that identifying the specific members will be more difficult.
"They create sock-puppets accounts using a closed dictionary of names with slight permutations of keywords such as lofy, life, polar, panda, kakau, evil, devil, and vilão (villain in Portuguese)," the Checkmarx team explained.
"As we explored this case, we guessed their origin is Brazil as much of the evidence contained Brazilian Portuguese sentences and even a file called 'brazil.js', which contained malware found in a couple of their malicious packages."
Checkmarx said that while the packages have since been removed and NPM, GitHub and Discord have all been notified, the nature of open-source repositories can make it hard for researchers to effectively track bad packages.
"When defenders disclose malicious packages to package managers (NPM, PyPi, etc..), the package managers simply delete the related release artifacts and metadata," the researchers noted.
"While this does prevent users from downloading the malware, it makes things hard for defenders to (a) know what happened, as this is not documented, and (b) learn and improve from the attacker's activities as it's almost impossible to get the removed evidence."
Software supply chain attacks have become a growing trend in recent years as criminals have discovered that by infecting the code dependencies open source software developers rely on, they can exponentially expand the number of infected end users. The LofyGang campaign is just the latest attack to use NPM packages to spread malicious code.
Often, the threat actors will try to make their infected modules resemble popular libraries to trick developers or take advantage of typo squatting. In the case of LofyGang, for example, the malware was made to look like several Discord code libraries.