Feed
HighPublished 31 Mar 20261 package · 1 version

LofyGang returns with undicy-http typosquat delivering dual-payload RAT

Summary

JFrog tied undicy-http@2.0.0 (a typosquat of undici) to the Brazil-based LofyGang group last seen in 2022. The package pairs a Node.js WebSocket RAT with a native chromelevator.exe binary that uses direct syscalls for process hollowing, then injects browser credential stealers targeting 50+ browsers and 90+ wallet extensions.

typosquatinfostealercrypto-wallet-draincredential-theft
Threat actor
LofyGang
Detected by
JFrog
Also known as
GlassWorm-adjacent
Ecosystems
npm
Packages tracked
1

What happened

JFrog tied undicy-http@2.0.0 — a typosquat of the popular undici HTTP client — to LofyGang, the Brazil-based crew first documented by Checkmarx in October 2022. The package author field reads ConsoleLofy, hardcoded strings include Lofygang | t.me/lofygang, and the logging is in Portuguese, all consistent with prior LofyGang tooling.

The campaign is a meaningful capability jump. Earlier LofyGang payloads were JavaScript-only stealers for Discord tokens and credit cards. This release pairs a Node.js WebSocket RAT (C2 24.152.36.243:3000) with a native chromelevator.exe binary that uses direct syscalls for process hollowing, then injects browser credential stealers covering 50+ browsers and 90+ wallet extensions including 28+ desktop wallets and 6 hardware-wallet integrations.

  • Native binary SHA-256: d6090c843c58f183fb5ed3ab3f67c9d96186d1b30dfd9927b438ff6ffedee196.
  • Payload host: amoboobs.com (Cloudflare-fronted), last modified 2026-03-21.
  • Exfiltration channels: Discord webhooks, Telegram API, gofile.io, catbox.moe.
  • Persistence: scheduled task ScreenLiveClient and Discord client trojanisation.

The binary matches YARA rule MAL_Browser_Stealer_Dec25_2, the same signature used to track the broader GlassWorm developer-targeting campaign across npm, PyPI and GitHub. Session hijack targets include Roblox, Instagram, Spotify, TikTok, Steam and Telegram — anyone with credentials on the host should treat them as compromised.

Affected packages (1)

  • npmundicy-http
    2.0.0

Impact

  • Browser credential and 28+ desktop wallet theft (incl. 6 hardware-wallet integrations)
  • Session hijack across Roblox, Instagram, Spotify, TikTok, Steam, Telegram
  • Syscall-level injection means full machine compromise once executed

What to do

  1. 1npm uninstall undicy-http and audit for the typosquat across CI/dev hosts
  2. 2Delete scheduled task ScreenLiveClient and chromelevator.exe; reinstall Discord
  3. 3Rotate all stored credentials; consider full re-image given syscall-level compromise
  4. 4Block amoboobs.com and 24.152.36.243 at egress

References

npm-2026-03-31-undicy-lofygang