A new sophisticated npm supply chain attack has been discovered, targeting Node.js developers with a malicious package masquerading as the official HTTP client library, undici. The package, named undicy-http, deceives developers into installing it, leading to potent compromises including screen streaming, remote access trojans, and browser credential theft.
Researchers from JFrog Security identified the threat on March 31, 2026, attributing it to the threat actor group LofyGang. The attack represents a significant escalation in capabilities compared to previous operations by the group, which primarily focused on stealing Discord tokens and credit card information. This new campaign demonstrates a more potent and wide-ranging impact on developer systems and sensitive data.
New npm Supply Chain Attack Undermines Developer Security
The malicious package, undicy-http, operates by exploiting the trust developers place in widely used npm packages. Despite its name closely mirroring the legitimate undici library, which is downloaded millions of times weekly, undicy-http contains no actual HTTP client functionality. Instead, it deploys a two-stage attack designed to steal credentials, hijack user sessions, and grant attackers live remote control over a victim’s system.
The first stage involves a Node.js-based Remote Access Trojan (RAT). This RAT establishes a connection to a command-and-control (C2) server managed by the attackers. Once connected, it enables attackers to execute commands remotely, stream the victim’s screen, upload files, and capture audio from the microphone and video from the webcam.
Simultaneously, the second stage unleashes a native Windows executable identified as chromelevator.exe. This program operates at the operating system level, injecting itself into browser processes. Its primary objective is to pilfer sensitive information, including saved passwords, cookies, credit card details, IBANs, and session tokens. The malware targets a vast array of applications, affecting over 50 different browsers and more than 90 cryptocurrency wallet browser extensions, underscoring the broad scope of data it aims to exfiltrate.
Evidence within the malware, including hardcoded strings like “Lofygang Started” and Portuguese-language log messages, confirms the Brazilian origins of the threat group. The author field of the package, “ConsoleLofy,” is also a known alias for LofyGang. This campaign marks a notable evolution in LofyGang’s tactics, techniques, and procedures (TTPs), moving beyond simpler data-stealing operations.
The reach of this attack extends beyond just browser data. The malware is designed to extract session data from six popular platforms: Roblox, Instagram, Spotify, TikTok, Steam, and Telegram. Furthermore, it targets cryptocurrencies by going after 28 desktop cryptocurrency wallets, six hardware wallet integrations including those from Ledger and Trezor, and a significant number of browser wallet extensions.
Stolen data is exfiltrated through a dual-channel approach, utilizing both a Discord webhook and a Telegram bot. For larger files, the malware uploads them to file-sharing services like gofile.io or catbox.moe before providing download links to the attackers. Notably, the chromelevator.exe component shares similarities with the YARA detection rule MAL_Browser_Stealer_Dec25_2, which has been associated with the broader GlassWorm Campaign framework and has matched over 1,750 malicious samples since December 2025.
Infection Chain: How the Malware Hides and Persists
Upon installation of undicy-http, the main script, index.js, immediately checks if it is running in a hidden mode. If not, it writes a VBScript file to the system’s temporary folder and then re-launches itself using wscript.exe with a hidden window, ensuring the infection process remains invisible to the user.
To maintain its presence across system reboots, the malware establishes three distinct persistence mechanisms. Initially, it creates a scheduled task named ScreenLiveClient, configured to run at user login with the highest available system privileges. If this method fails, it attempts to persist by writing to a registry run key. As a final fallback, it places a copy of itself in the Windows Startup folder. The VBScript launcher file is then hidden using the attrib +h +s command to make it more difficult to discover.
The malware employs several anti-analysis techniques to evade detection by security tools. It performs ten anti-virtual machine checks, examining MAC addresses, BIOS strings, disk names, and active processes to identify sandbox environments like ANY.RUN, Cuckoo, and Triage. It also actively looks for the presence of analysis tools such as Wireshark, IDA, and Ghidra. To further deceive victims, it can display a fake “missing DLL” Windows error dialog while the malicious payload continues to operate silently in the background.
The native binary, chromelevator.exe, incorporates advanced evasion techniques. It utilizes direct system calls that bypass standard ntdll.dll APIs, effectively circumventing user-mode hooks employed by Endpoint Detection and Response (EDR) solutions and antivirus software. This sophisticated evasion makes it particularly challenging to detect and remove.
Developers who may have inadvertently installed undicy-http are strongly advised to immediately uninstall the package using the command npm uninstall undicy-http. It is also recommended to terminate all running node and wscript.exe processes, remove the ScreenLiveClient scheduled task and its associated registry key, and delete the VBScript files from the temporary folder. Reinstalling Discord clients is advised to clear any injected code. A comprehensive security hygiene measure includes rotating all passwords, Discord tokens, and session credentials for affected platforms such as Roblox, Instagram, Spotify, TikTok, Steam, and Telegram. For cryptocurrency users, it is crucial to transfer funds to new wallets with fresh seed phrases generated on a clean, uncompromised machine. Blocking the C2 address 24[.]152[.]36[.]243 and the domain amoboobs[.]com is also recommended. Full system re-imaging is the most prudent course of action if chromelevator.exe is confirmed to have executed, as manual cleanup may not fully restore system integrity.