LofyGang returns with undicy-http typosquat delivering dual-payload RAT
JFrog tied undicy-http@2.0.0 (a typosquat of undici) to the Brazil-based LofyGang group last seen in 2022. The package pairs a Node.js WebSocket RAT with a native chromelevator.exe binary that uses direct syscalls for process hollowing, then injects browser credential stealers targeting 50+ browsers and 90+ wallet extensions.
- Threat actor
- LofyGang
- Detected by
- JFrog
- Also known as
- GlassWorm-adjacent
- Ecosystems
- npm
- Packages tracked
- 1
What happened
JFrog tied undicy-http@2.0.0 — a typosquat of the popular undici HTTP client — to LofyGang, the Brazil-based crew first documented by Checkmarx in October 2022. The package author field reads ConsoleLofy, hardcoded strings include Lofygang | t.me/lofygang, and the logging is in Portuguese, all consistent with prior LofyGang tooling.
The campaign is a meaningful capability jump. Earlier LofyGang payloads were JavaScript-only stealers for Discord tokens and credit cards. This release pairs a Node.js WebSocket RAT (C2 24.152.36.243:3000) with a native chromelevator.exe binary that uses direct syscalls for process hollowing, then injects browser credential stealers covering 50+ browsers and 90+ wallet extensions including 28+ desktop wallets and 6 hardware-wallet integrations.
- Native binary SHA-256:
d6090c843c58f183fb5ed3ab3f67c9d96186d1b30dfd9927b438ff6ffedee196. - Payload host:
amoboobs.com(Cloudflare-fronted), last modified2026-03-21. - Exfiltration channels: Discord webhooks, Telegram API,
gofile.io,catbox.moe. - Persistence: scheduled task
ScreenLiveClientand Discord client trojanisation.
The binary matches YARA rule MAL_Browser_Stealer_Dec25_2, the same signature used to track the broader GlassWorm developer-targeting campaign across npm, PyPI and GitHub. Session hijack targets include Roblox, Instagram, Spotify, TikTok, Steam and Telegram — anyone with credentials on the host should treat them as compromised.
Affected packages (1)
- npm
undicy-http2.0.0
Impact
- Browser credential and 28+ desktop wallet theft (incl. 6 hardware-wallet integrations)
- Session hijack across Roblox, Instagram, Spotify, TikTok, Steam, Telegram
- Syscall-level injection means full machine compromise once executed
What to do
- 1
npm uninstall undicy-httpand audit for the typosquat across CI/dev hosts - 2Delete scheduled task
ScreenLiveClientandchromelevator.exe; reinstall Discord - 3Rotate all stored credentials; consider full re-image given syscall-level compromise
- 4Block amoboobs.com and 24.152.36.243 at egress