LofyGang uses hundreds of malicious NPM packages to poison open source software


Threat group LofyGang uses over 200 malicious NPM packages with thousands of installs to steal credit card data and gaming and streaming accounts, before spreading stolen credentials and loot in forums underground hacks.

According to a report by Checkmarx, the group of cyberattacks has been in operation since 2020, infecting open source supply chains with malicious packages in an attempt to weaponize software applications.

The research team believes the group may have Brazilian origins, due to the use of Brazilian Portuguese and a file called “brazil.js”. which contained malware found in a few of their malicious packages.

The report also details the group’s tactic of leaking thousands of Disney+ and Minecraft accounts to an underground hacking community using the DyPolarLofy alias and promoting their hacking tools via GitHub.

“We saw multiple classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded in the package, and some downloaded the malicious payload during runtime from C2 servers. “, said the friday report Noted.

LofyGang operates with impunity

The group has deployed tactics such as typosquatting, which targets typing errors in the open source supply chain, as well as “StarJacking”, in which the package’s GitHub repository URL is linked to a legitimate GitHub project not related.

“Package managers do not validate the accuracy of this reference, and we are seeing attackers take advantage of this by stating that their package’s Git repository is legit and popular, which may trick the victim into thinking it is of a legitimate package due to its supposed popularity,” the report said.

The ubiquity and success of open-source software has made it an ideal target for malicious actors like LofyGang, says Jossef Harush, head of Checkmarx’s supply chain security engineering group.

He considers LofyGang’s main characteristics to include its ability to create a large community of hackers, to abuse legitimate services as command-and-control (C2) servers, and its efforts to poison the open source ecosystem.

This activity continues even after three different gears — from Sonatype, Safe Listand jFrog – discovered the malicious efforts of LofyGang.

“They remain active and continue to release malicious software supply chain packages,” he says.

By publishing the report, Harush says he hopes to raise awareness of the evolution of attackers, who are now building communities with open source hacking tools.

“Attackers rely on victims not to pay enough attention to detail,” he adds. “And honestly, even I, with years of experience, would potentially fall for some of these cheats because they look like legitimate packages to the naked eye.”

Open Source not designed for security

Harush points out that unfortunately the open source ecosystem was not designed for security.

“Although anyone can register and publish an open source package, there is no verification process in place to check if the package contains malicious code,” he says.

A recent report by software security firm Snyk and the Linux Foundation found that about half of companies have an open source software security policy in place to guide developers in using components and frameworks.

However, the report also found that those who have such policies in place generally have better security – Google makes its software verification and remediation process available for security issues to help close the avenues for hackers.

“We see attackers taking advantage of this because it’s very easy to release malicious packages,” he explains. “The lack of verification powers to disguise packages to appear legitimate with stolen images, similar names, or even referencing the websites of other legitimate Git projects just to see that they get the number of stars of other projects on their malicious package pages.”

Towards supply chain attacks?

From Harush’s perspective, we are reaching the point where attackers are realizing the full potential of the open source supply chain attack surface.

“I expect open source supply chain attacks to evolve more towards attackers aiming to steal not only the victim’s credit card, but also the victim’s on-premises credentials. job, like a GitHub account, and from there go after the biggest jackpots of software supply chain attacks,” he says.

This would include the ability to access a workplace’s private code repositories, with the ability to contribute code while impersonating the victim, implant backdoors into enterprise-grade software, and more. Again.

“Organizations can protect themselves by properly applying two-factor authentication to their developers, educating their software developers not to assume popular open source packages are safe if they appear to have many downloads or stars,” adds Harush. , “and to be alert to suspicious activities in software packages.


Comments are closed.