LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software

  /     /     /  
Publicated : 23/11/2024   Category : security


LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software


The group has been operating for over a year, promoting their tools in hacking forums, stealing credit card information, and using typosquatting techniques to target open source software flaws.



The LofyGang threat group is using more than 200 malicious NPM packages with thousands of installations to steal credit card data, and gaming and streaming accounts, before spreading stolen credentials and loot in underground hacking forums.
According to a report from Checkmarx, the cyberattack group has been in operation since 2020, infecting open source supply chains with
malicious packages
 in an effort to weaponize software applications.
The research team believes the group may have Brazilian origins, owing to the use of Brazilian Portuguese and a file called brazil.js. which contained malware found in a couple of their malicious packages.
The report also details the groups tactic of leaking thousands of Disney+ and Minecraft accounts to an underground hacking community using the alias DyPolarLofy and promoting their hacking tools via GitHub.
We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from C2 servers, the
Friday report
noted.
The group has deployed tactics including typosquatting, which targets typing mistakes in the open source supply chain, as well as StarJacking, whereby the packages GitHub repo URL is linked to an unrelated legitimate GitHub project.
The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their packages Git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity, the report stated.
The ubiquity and success of open source software has made it a ripe target for malicious actors like LofyGang, explains Jossef Harush, head of Checkmarxs supply chain security engineering group.
He sees LofyGangs key characteristics as including its ability to build a large hacker community, abusing legitimate services as command-and-control (C2) servers, and its efforts in poisoning the open source ecosystem.
This activity continues even after three different reports — from
Sonatype
,
Securelist
, and
jFrog
— uncovered LofyGangs malicious efforts.
They remain active and continue to publish malicious packages in the software supply chain arena, he says.
By publishing this report, Harush says he hopes to raise awareness of the evolution of attackers, who are now building communities with open source hack tools.
Attackers count on victims to not pay enough attention to the details, he adds. And honestly, even I, with years of experience, would potentially fall for some of those tricks as they seem like legitimate packages to the naked eye.
Harush points out that unfortunately the open source ecosystem was not built for security.
While anybody can sign up and publish an open source package, no vetting process is in place to check if the package contains malicious code, he says.
A recent
report
from software-security firm Snyk and the Linux Foundation revealed about half of firms have an open source software security policy in place to guide developers in the use of components and frameworks.
However, the report also found that those who have such policies in place generally exhibit better security — Google is
making available
its process of vetting and patching software for security issues to help close avenues to hackers.
We see attackers take advantage of this because its super easy to publish malicious packages, he explains. The lack of vetting powers in disguising the packages to appear legit with stolen images, similar names, or even referencing other legitimate Git projects websites just to see they get the other projects stars amount on their malicious packages pages.
From Harushs perspective, were reaching the point where attackers realize the full potential of the open source supply chain attack surface.
I expect open source supply chain attacks to evolve further into attackers aiming to steal not only the victims credit card, but also the victims workplace credentials, such as a GitHub account, and from there, aim for the bigger jackpots of software supply chain attacks, he says.
This would include the ability to access a workplaces private code repositories, with the capability to contribute code while impersonating the victim, planting backdoors in enterprise grade software, and more.
Organizations can protect themselves by properly enforcing their developers with two-factor authentication, educate their software developers to not assume popular open source packages are safe if they appear to have many downloads or stars, Harush adds, and to be vigilant to suspicious activities in software packages.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software