LofyGang returns after 3-year hiatus with Minecraft-targeted LofyStealer

The Brazilian threat group LofyGang, last seen flooding npm with hundreds of malicious packages in 2022, has resurfaced with a new campaign dubbed LofyStealer aimed at the Minecraft player base. The operation leans on the same playbook the crew used in its earlier run: trojanized packages and tooling designed to harvest credentials, tokens, and payment data from gaming-adjacent communities.

Minecraft’s modding ecosystem makes a logical target — players routinely sideload third-party JARs, launchers, and helper utilities, and Discord token theft remains a high-value payoff in that demographic. The reappearance suggests the group’s infrastructure and developer pipeline survived the 2022 disclosures intact, and that low-friction supply-chain delivery through public package registries and community mod sites continues to pay out.

Defenders watching gaming and developer endpoints should treat unsigned launcher mods and obscure npm dependencies as candidates for review, particularly anything pulling browser cookie stores or Discord LevelDB files post-install.