"LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM"

By distributing 200 malicious packages and fake hacking tools on code hosting platforms such as NPM and GitHub, the LofyGang threat actors have built a credential-stealing enterprise. Researchers have discovered these packages in supply chain attacks using typo-squatted package names. Many of the malicious packages have been reported and removed, but others remain available for download as of October 7. There is a dedicated project to search for and track malicious LofyGang packages on GitHub. Checkmarx inferred from the threat group's extensive online presence that they are interested in stealing credit card information, Discord Nitro credentials, and streaming and gaming service accounts, such as Disney+ and Minecraft. LofyGang seems to be motivated by financial gain, aiming to compromise a large number of accounts and resell access to those accounts on various private channels on the dark web, hacking forums, and Discord. The group also has a YouTube channel where it posts video tutorials on how to use its hacking tools, with two videos surpassing 10,000 views. The Discord channel was made a year ago to provide guidance and support to the group's hacking tool operators, as well as to hold promotional Discord Nitro giveaways. A Discord bot called Lofy Boost can be used by channel members to purchase Nitro on behalf of the user using a stolen credit card. The bot also receives user tokens, which the criminals may later exploit. The stolen credit cards are obtained through NPM supply chain infections and the distribution of laced and backdoored hacking tools on GitHub, which less skilled cybercriminals can obtain and use for free. Many NPMs pretend to be Discord development packages or packages for color, strings, and file operations. This article continues to discuss the LofyGang credential-stealing enterprise.

Bleeping Computer reports "LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM"