LofyGang Art

Supply Chain Hackers LofyGang Behind Hundreds of Malicious Packages

The security research team at Checkmarx Labs on Friday warned that an attack group called ‘LofyGang’ is responsible for 200 malicious packages linked to thousands of open source supply chain attacks via platforms likeGitHub, NPM, and more.

The report highlights a growing trend in which cyber attackers are abusing the open-source ecosystems, with communities forming around open-source software intended for malicious purposes, Checkmarx said in its report

Spotlight: How Secrets Sprawl Undermines Software Supply Chain Security

The report builds on previous research that exposed malicious open source packages published by the firms Sonatype, Jfrog, and Securelist in August 2022. According to Checkmarx, the malicious packages exposed by those firms were the tip of the iceberg. Subsequent research by Checkmarx on LofyGang’s malicious packages and indicators of compromise (IOCs)revealed more connections to other packages, proving that each report was a small piece of the big puzzle. 


Description automatically generated
A detective board showing connections between malicious packages. (Images courtesy of Checkmarx.)

Introducing LofyGang

According to Checkmarx, LofyGang is an organized criminal group from Brazil that steals and shares stolen credit cards, gaming, and streaming accounts. The attackers are popular and have a YouTube channel with nearly 4k subscribers that publishes self-promoting content, like video tutorials demonstrating how to use their hacking tools and launch a successful attack.

Lofygroup’s YouTube channel. (Image courtesy of Checkmarx.)

The gang also hosts a Discord server and created a Discord bot called “Lofy Boost” to place the stolen credit cards on the operator’s account. The attacker group has been observed using its Discord servers to communicate between their members and group administrators. Within the Discord servers, there is technical support for the group’s hacking tools, a dedicated bot, and a dark meme group responsible for a giveaway of Discord Nitro upgrades, Checkmarx wrote.

Apple, Amazon Throw Shade on Supply Chain Hack Story

Within the underground hacking community, LofyGang has been observed selling packages of fake Instagram followers, selling stolen credit card details and leaking Disney+ and Minecraft account documents under the alias DyPolarLofy, Checkmarx wrote. 

The LofyGroup’s GitHub page, PolarLofy (Image courtesy of CheckMarx

The group’s activities leverage open-source supply chain attacks. Lofy hacking tools rely on malicious packages infecting their operators with persistent hidden malware. 

Starjacking and Dependency Confusion 

As with other supply chain attacks, LofyGang relied on Starjacking and Typosquatting techniques to impersonate legitimate developers and packages. In the Starjacking approach, the attackers link a newly published package to an established repository, hijacking the “star rating” of the established repository  to make their package’s git repository look legitimate. (An attack reported last month also used the Starjacking technique. ) 

In typosquatting attacks, malicious actors name their package in ways designed to mimic established and legitimate packages, counting on developers to overlook subtle differences in spelling or naming conventions between the malicious package and the legitimate package they seek.. 

Supply chain attacks: down the memory hole

To help uncover the extent of the Lofy attacks, Checkmarx researchers developed custom tooling to track malicious activity over time by gathering open-source-related evidence. That was needed to counter the history-erasing effects of crackdowns on malicious packages, the firm said. 

When the malicious packages get disclosed to package managers such as NPM or PyPi, they delete the related release artifacts and metadata. That prevents users from downloading the malware, but also removes any history of the incident. For security researchers, this erasing of the history of an incident makes it hard to learn about the attacker’s activities or gather evidence about the attack..Checkmarx said its custom tooling enabled it to piece together the complete picture of Lofy’s activities, revealing a much larger campaign than was initially believed, as well as novel techniques to avoid detection. 

Episode 233: Unpacking Log4Shell’s Un-coordinated Disclosure Chaos

For example,   to avoid detection, Lofy would often keep the first-level open source package clean of any malicious code, but include a second order dependency that contained the malicious Lofy code.. The group would also spread their wares around using different NPM user accounts to publish the malicious packages. 

The researchers observed that when a malicious dependent package was identified and removed, the attackers replaced it with a new one. They would then update the main package with a link to the new, malicious dependency. 

Open source supply chain attacks: get used to them

To help track the group’s activity, Checkmarx published a list of compromised packages and a website that tracks the Lofy gang’s activities, Lofygang.info.  However, the company said that Lofygang won’t be the end of open-source supply chain attacks. “(Lofygang) teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks. Communities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months,” the company wrote. 

Critical Flaw Found In Widely Used Netmask Open Source Module

Checkmarx is encouraging other companies or researchers with information on Lofygang’s activities or other supply chain compromises to share that information with the broader security community.