The LofyGang threat group is using more than 200 malicious NPM packages with thousands of installations to steal credit card data, and gaming and streaming accounts, before spreading stolen credentials and loot in underground hacking forums.
According to a report from Checkmarx, the cyberattack group has been in operation since 2020, infecting open source supply chains with malicious packages in an effort to weaponize software applications.
The research team believes the group may have Brazilian origins, owing to the use of Brazilian Portuguese and a file called “brazil.js.” which contained malware found in a couple of their malicious packages.
The report also details the group’s tactic of leaking thousands of Disney+ and Minecraft accounts to an underground hacking community using the alias DyPolarLofy and promoting their hacking tools via GitHub.
“We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from C2 servers,” the Friday report noted.
LofyGang Operates With Impunity
The group has deployed tactics including typosquatting, which targets typing mistakes in the open source supply chain, as well as “StarJacking,” whereby the package’s GitHub repo URL is linked to an unrelated legitimate GitHub project.
“The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their package’s Git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity,” the report stated.
The ubiquity and success of open source software has made it a ripe target for malicious actors like LofyGang, explains Jossef Harush, head of Checkmarx’s supply chain security engineering group.
He sees LofyGang’s key characteristics as including its ability to build a large hacker community, abusing legitimate services as command-and-control (C2) servers, and its efforts in poisoning the open source ecosystem.
This activity continues even after three different reports — from Sonatype, Securelist, and jFrog — uncovered LofyGang’s malicious efforts.
“They remain active and continue to publish malicious packages in the software supply chain arena,” he says.
By publishing this report, Harush says he hopes to raise awareness of the evolution of attackers, who are now building communities with open source hack tools.
“Attackers count on victims to not pay enough attention to the details,” he adds. “And honestly, even I, with years of experience, would potentially fall for some of those tricks as they seem like legitimate packages to the naked eye.”
Open Source Not Built for Security
Harush points out that unfortunately the open source ecosystem was not built for security.
“While anybody can sign up and publish an open source package, no vetting process is in place to check if the package contains malicious code,” he says.
A recent report from software-security firm Snyk and the Linux Foundation revealed about half of firms have an open source software security policy in place to guide developers in the use of components and frameworks.
However, the report also found that those who have such policies in place generally exhibit better security — Google is making available its process of vetting and patching software for security issues to help close avenues to hackers.
“We see attackers take advantage of this because it’s super easy to publish malicious packages,” he explains. “The lack of vetting powers in disguising the packages to appear legit with stolen images, similar names, or even referencing other legitimate Git projects’ websites just to see they get the other projects’ stars amount on their malicious packages pages.”
Heading Toward Supply Chain Attacks?
From Harush’s perspective, we’re reaching the point where attackers realize the full potential of the open source supply chain attack surface.
“I expect open source supply chain attacks to evolve further into attackers aiming to steal not only the victim’s credit card, but also the victim’s workplace credentials, such as a GitHub account, and from there, aim for the bigger jackpots of software supply chain attacks,” he says.
This would include the ability to access a workplace’s private code repositories, with the capability to contribute code while impersonating the victim, planting backdoors in enterprise grade software, and more.
“Organizations can protect themselves by properly enforcing their developers with two-factor authentication, educate their software developers to not assume popular open source packages are safe if they appear to have many downloads or stars,” Harush adds, “and to be vigilant to suspicious activities in software packages.”