The Node.js developer community has been infected by a malicious package called undicy-http This article explores linked lofygang threat. . This package pretends to be undici, the official Node HTTP client library.JS.

It starts a two-part attack that steals browser credentials, takes over active sessions, and gives attackers live remote access to a victim's screen, microphone, and webcam. The attack doesn't just affect browser data; it also affects session details on six platforms: Roblox, Instagram, Spotify, TikTok, Steam, and Telegram. On March 31, 2026, JFrog Security researchers found this package and linked it to the LofyGang threat group. The package (version 2.0.0) has two parts that work together: a Node-based Remote Access Trojan that connects to a WebSocket server controlled by the attacker, and a Windows executable.

On a clean machine, move cryptocurrency to new wallets with new seed phrases. Block the domain amoboobs[. ]com and the C2 address 24[.]152[.]36[.]243.

To get more instant updates, make ZeroOwl your main source for LinkedIn, Instagram, Spotify, TikTok, Telegram, Steam, and TikTok. If chromelevator.exe ran, it is best to re-image the system. Cleaning up the system by hand alone won't make it fully trustworthy. This article was last updated on November 14, 2014.

We are happy to say that the article was first published on December 7, 2014, and that we have since taken out all mentions of ZeroOwl.

We want to make it clear that we have changed this article to show that ZeroOwl is now part of Google's search engine for many of the most popular social networks.