Security Experts:

Connect with us

Hi, what are you looking for?



LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks

A cybercrime group named LofyGang has distributed roughly 200 malicious NPM packages that have been downloaded thousands of times over the past year, according to Checkmarx.

A cybercrime group named LofyGang has distributed roughly 200 malicious NPM packages that have been downloaded thousands of times over the past year, according to Checkmarx.

Likely operating out of Brazil, LofyGang appears to be an organized crime group focused on multiple hacking activities, including credit card data theft and Discord premium upgrades, as well as the hacking of games and streaming service accounts.

LofyGang has been observed abusing multiple public cloud services for command and control (C&C) purposes, including Discord, GitHub, glitch, Heroku, and, creating sock-puppet accounts using a closed dictionary of names (slight permutations of evil, devil, lofy, polar, panda, kakau, and vilão).

Since October 2021, the group has been using a Discord server for communication between administrators and members, and to provide technical support for its hacking tools.

The group also operates the GitHub account PolarLofy – which offers tools and bots for Discord, including a spammer, a password stealer, a Nitro generator, and a chat wiper, among others – and operates a YouTube account that contains self-promotion content.

Over the past year, LofyGang has published roughly 200 malicious open source packages, which either contained or linked to generic malicious payloads, password stealers, and Discord-specific malware.

The threat actor was seen relying on typosquatting and starjacking to create a false sense of legitimacy, referencing legitimate GitHub repositories in their packages, and copying the descriptions of popular packages.

To avoid detection, the group used clean first-level packages that had malicious packages among their dependencies and replaced the malicious dependency with a new one when discovered and removed. The attackers used different NPM user accounts to publish these packages.

Some of the packages associated with LofyGang would modify the installed Discord instance to steal credit card data that was sent directly to the attackers immediately when a payment was made.

LofyGang was also observed selling fake Instagram followers to an underground hacking community, as well as leaking online accounts, and promoting their hacking tools and bots.

According to Checkmarx, the group also targeted the users of its hacking tools with malicious packages, with some members of the underground community cautioning about potential infections.

“LofyGang’s hack tools also depend on malicious packages, which infect their operators with persistent hidden malware using the same capabilities described,” Checkmarx notes.

The group also created a Discord bot “to deploy stolen credit cards on the operator’s account”, claiming that the use of the bot would boost LofyGang’s Discord server.

“The surge of recent open-source supply chain attacks teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks. Communities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months,” Checkmarx concludes.

Related: GitHub Improves npm Account Security as Incidents Rise

Related: Checkmarx Finds Threat Actor ‘Fully Automating’ NPM Supply Chain Attacks

Related: 1,300 Malicious Packages Found in Popular npm JavaScript Package Manager

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.