Malicious Roblox related npm packages detected

Malicious Roblox related npm packages detected

The hackers re-published two malicious libraries in the JavaScript package manager npm (Node Package Manager). This time, the packages imitated the libraries of the Roblox gaming platform, but in fact distributed malware to steal credentials and ransomware.

Fake packages ( noblox.js-proxies  and noblox.js-proxies ) used typo-squatting and mimicked the real noblox.js library  (and its legitimate variants like noblox.js-proxied ), which is a wrapper around the Roblox game API numbering about 20,000 downloads per week. The fake packages were uploaded on October 20 and 26, and they were downloaded only 281 and 106 times, respectively, say Sonatype experts who noticed the problem.

According to the researchers, first the author of noblox.js-proxy published a secure version of the library, which was later replaced with a version with obfuscated text, which was actually a Batch (.bat) script in a post-install JavaScript file.

Obfuscated script in postinstall.js

This Batch script downloaded malicious executables from Discord’s Content Delivery Network (CDN), which were responsible for disabling security mechanisms, ensuring a persistent presence on a compromised device, stealing credentials, cookies and browser history, and deploying ransomware. , including the Monster Ransomware that mimics the GoldenEye malware.

Interestingly, in the summer of 2021, Sophos experts  warned that the spread of malware via Discord is becoming more and more popular, and today about 4% of all malware protected by TLS (which accounts for approximately 46% of the total number of malware) interacts with Discord.

Let me remind you that this is not the first post about malicious npm packages this month. So, last week, experts from Sonatype warned about three libraries that contained a hidden cryptocurrency miner. Whereas earlier this week, the developer of the popular JavaScript library UA-Parser-JS  reported that it was hacked, and malicious code was injected into the package that downloaded and installed a password stealing tool and a cryptocurrency miner on users’ systems.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply