Deceptive NPM Packages Aim at Roblox Users with Spyware

AndyC 9 November 2024

Nov 08, 2024Ravie LakshmananOpen Source / Malware

An ongoing campaign has singled out the npm package repository with deceitful JavaScript collections that are crafted to corrupt Roblox users with open-source spyware like Skuld and Blank-Grabber.

Malicious NPM Packages Target Roblox Users with Data-Stealing Malware

Nov 08, 2024Ravie LakshmananOpen Source / Malware

Malicious NPM Packages Target Roblox Users with Data-Stealing Malware

An ongoing campaign has singled out the npm package repository with deceitful JavaScript collections that are crafted to corrupt Roblox users with open-source spyware like Skuld and Blank-Grabber.

“The recent event showcases the concerning simplicity with which threat actors can initiate supply chain assaults by leveraging trust and human oversight within the open source ecosystem, and using readily accessible off-the-shelf malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 activities to bypass conventional security measures,” Socket security analyst Kirill Boychenko commented in a report shared with The Hacker News.

Cybersecurity

The enumeration of malevolent packages is as follows –

doubly linked list framework for JavaScript. In a similar manner, rolimons-api is a misleading adaptation of Rolimon’s API.

Deceptive NPM Packages

“Although unofficial wrappers and modules exist — like the rolimons Python bundle (downloaded over 17,000 times) and the Rolimons Lua component on GitHub — the malicious rolimons-api packages endeavored to exploit developers’ reliance on recognizable titles,” Boychenko mentioned.

The rogue bundles embed concealed code that fetches and implements Skuld and Blank Grabber, spyware lineages drafted in Golang and Python, correspondingly, that can gather a broad array of data from compromised systems. The accrued data is then transmitted to the attacker via Discord webhook or Telegram.

Cybersecurity

To outmaneuver security safeguards, the malware binaries are fetched from a GitHub repository (“github[.]com/zvydev/code/”) managed by the threat actor.

The increased popularity of Roblox in recent times has spurred threat actors to actively propagate counterfeit packages to target developers and users alike. Earlier this year, several fraudulent bundles like noblox.js-proxy-server, noblox-ts, and noblox.js-async were observed mimicking the prominent noblox.js library.

With malicious actors leveraging trust in commonly used packages to promote typosquatted packages, developers are urged to verify bundle names and meticulously examine source code before downloading.

“As open-source ecosystems expand and more developers depend on shared code, the threat landscape widens, with threat actors hunting for more opportunities to insert malicious code,” Boychenko highlighted. “This event underscores the necessity for heightened vigilance and robust security practices among developers.”

Find this article fascinating? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.