Deceptive npm Packages Imitating ‘noblox.js’ Put Roblox Developers’ Systems at Risk
Roblox software developers are being targeted in an ongoing scheme aiming to compromise their systems through fake npm packages, highlighting once again how cybercriminals exploit trust in open-source resources to distribute malware.
“Attackers have released numerous packages mimicking the popular ‘noblox.js’ library with the intention of stealing confidential information and compromising systems,” explained Checkmarx researcher Yehuda Gelb in a detailed analysis.
The details of this scheme were first brought to light in August 2023 by ReversingLabs, involving a campaign that introduced a data stealing tool named Luna Token Grabber. This was identified as a repeat of an offensive maneuver that was uncovered in October 2021.
Two additional packages named noblox.js-proxy-server and noblox-ts have been identified this year as malware. These packages masquerade as the popular Node.js library to distribute malicious software like stealer malware and a remote access trojan known as Quasar RAT.
“The bad actors behind this campaign utilized tactics such as brandjacking, combosquatting, and starjacking to create an authentic facade for their nefarious packages,” remarked Gelb.
To give these packages an air of legitimacy, they were named noblox.js-async, noblox.js-thread, noblox.js-threads, and noblox.js-api, tricking unsuspecting developers into believing they are genuine extensions of the legitimate “noblox.js” library.
Below are the download statistics for these packages –
Another crafty method used is starjacking, where the fake packages claim the source repository as that of the real noblox.js library to establish credibility.
The latest version of these packages includes malicious code that acts as a portal for distributing additional payloads from a GitHub repository. This code also steals Discord tokens, evades detection by updating the Microsoft Defender Antivirus exclusion list, and establishes persistence by modifying the Windows Registry.
“The malware’s effectiveness hinges on its persistence strategy, utilizing the Windows Settings app to ensure continual access,” Gelb highlighted. “Consequently, whenever a user tries to access the Windows Settings app, the system inadvertently launches the malware instead.”
The ultimate objective of this attack chain is to unleash Quasar RAT, granting the attacker remote control over the compromised system. The extracted data is then sent to the attacker’s command-and-control (C2) server using a Discord webhook.
These revelations indicate a continuous influx of new packages being released despite efforts made to remove them. Therefore, it is crucial for developers to remain vigilant against this evolving threat.
About Author
