Malicious npm Packages Targeting Roblox Users (2024)

Malicious npm Packages Targeting Roblox Users (1)

For over a year, a persistent malware campaign has been targeting Roblox developers through malicious NPM packages. By mimicking the popular “noblox.js” library, attackers have published dozens of packages designed to steal sensitive data and compromise systems. This campaign exploits trust in the open-source ecosystem, particularly targeting the Roblox platform, an attractive target due to its massive user base of over 70 million daily active users. Despite multiple package takedowns, new malicious packages continue to appear, some of which are still active on the NPM registry at the time of publication, requiring developers to remain vigilant against this ongoing threat.

Key Points

  • Dozens of malicious npm packages mimicking the popular “noblox.js” library have been identified in a campaign dating back to August 2023, with the most recent ones appearing in late August 2024.
  • The attackers of this campaign have employed techniques including brandjacking, combosquatting, and starjacking to create a convincing illusion of legitimacy for their malicious packages.
  • The malware’s capabilities include Discord token theft, system information harvesting, system persistence, and deployment of additional payloads such as Quasar RAT.
  • The malware employs a sophisticated persistence technique by manipulating the Windows registry, causing it to execute every time a user opens the Windows Settings app.
  • While the identified malicious packages have been removed from npm, the attacker’s GitHub repository containing malicious executables remains active, posing a potential threat for future attacks.

Malware in Disguise: The Social Engineering Aspect

The attackers have employed a multi-faceted approach to craft an illusion of authenticity around their malicious packages.

One deceptive tactic combines brandjacking and combosquatting—two methods that fall under the broader category of typosquatting. This strategy creates the illusion that their packages are either extensions of or closely related to the legitimate “noblox.js” library.

For example: noblox.js-async, noblox.js-thread, and noblox.js-api.

Since libraries commonly have multiple versions or extensions for specific use cases, mimicking this naming pattern increases the likelihood that developers will install the attackers’ packages, assuming they’re official extensions of “noblox.js.”

Another tactic used is starjacking, a popular method attackers employ to fake their package stats. In this instance, the malicious packages were linked to the GitHub repository URL of the genuine “noblox.js” package. This tactic falsely inflates the perceived popularity and trustworthiness of the malicious packages.

Malicious npm Packages Targeting Roblox Users (2)

The attackers also used tactics to disguise the malware within the package itself. They meticulously mimicked the structure of the legitimate “noblox.js” but introduced their malicious code in the “postinstall.js” file. They heavily obfuscated this code, even including nonsensical Chinese characters to deter easy analysis.

Malicious npm Packages Targeting Roblox Users (3)

These combined techniques create a convincing façade of legitimacy, significantly increasing the chances of the malicious packages being installed and executed on developers’ systems. As reported in previous analyses by Socket, Stacklok and Reversinglabs, these tactics have been consistently employed and refined throughout the year-long campaign.

Attack Flow

Malicious npm Packages Targeting Roblox Users (4)

The malicious code exploits NPM’s postinstall hook, ensuring automatic execution when the package is installed. This hook, designed for legitimate setup processes, becomes a gateway for running the obfuscated malware without the user’s knowledge or consent.

At first glance, the obfuscated code appears daunting and impenetrable. However, by simply using an online automated JavaScript deobfuscation tool, we were able to gain significant insight into the malicious code’s operation. This initial deobfuscation revealed the general steps the malware takes to achieve its objectives. Yet, the resulting code still contained confusing elements and required additional cleaning to fully comprehend its functionality. This process of incremental deobfuscation and analysis allowed us to piece together the complete attack flow, with its most notable details listed below.

Discord Token Theft

The malware searches for Discord authentication tokens in multiple locations.

Malicious npm Packages Targeting Roblox Users (5)

The stolen tokens are then validated to ensure only active ones are exfiltrated.

Antivirus Evasion

The malware aggressively undermines the system’s security measures. It first targets Malwarebytes, attempting to stop its service if running. This is followed by a more comprehensive attack on Windows Defender: the script identifies all disk drives and adds them to Windows Defender’s exclusion list. This action effectively blinds Windows Defender to any file on the system. By disabling third-party antivirus and manipulating built-in Windows security, the malware creates an environment where it can operate freely, significantly increasing its potential for damage and persistence.

Malicious npm Packages Targeting Roblox Users (6)

Additional Payload Deployment

The malware expands its capabilities by downloading two additional executables from the attacker’s GitHub repository. These files, “cmd.exe” and “Client-built.exe”, are fetched using base64-encoded URLs and saved to the “C:\WindowsApi” directory with randomized names. The malware uses a combination of “nodeapi_” prefix and a unique hexadecimal string, likely to help the malicious files blend in with legitimate system files.

Malicious npm Packages Targeting Roblox Users (7)

Persistence Mechanism

To ensure long-term access, the malware manipulates a Windows registry key to ensure it runs consistently on the infected system.

Malicious npm Packages Targeting Roblox Users (8)

Specifically, it adds the path of the downloaded “Client-built.exe” to the strategic registry location:

“HKCU\Software\Classes\ms-settings\Shell\Open\command”

By modifying this key, the malware hijacks legitimate Windows functionality. As a result, whenever a user attempts to open the Windows Settings app, the system inadvertently executes the malware instead.

Data Exfiltration

Throughout its execution, the malware collects various types of sensitive information from the infected system. This data is packaged and sent to the attacker’s command and control server using a Discord webhook.

QuasarRAT Deployment

The final stage involves deploying QuasarRAT, a remote access tool that gives the attacker extensive control over the infected system.

The Attacker

The second-stage malware originates from an active GitHub repository: https://github.com/aspdasdksa2/callback. As of this writing, the repository remains accessible and potentially in use for distributing malware through other packages. The repository, owned by user “aspdasdksa2”, contains multiple malicious executables. The repository’s continued existence and its content suggest ongoing malware development and distribution.

Malicious npm Packages Targeting Roblox Users (9)

Previous malicious npm packages were found to be linked to a different repository of that user for their second stage, but that repository is no longer accessible.

Notably, the attacker maintains a second repository named “noblox-spoof”, which appears to house the latest malicious npm package content, directly referencing the target of this campaign.

The most recent malicious packages impersonating the popular noblox.js library (four packages published by user “bicholassancheck14” – noblox.js-async, noblox.js-threads, noblox.js-thread, and noblox.js-api) have been taken down after we promptly reported them to npm’s security team. While this is a positive development, it’s important to note that the threat is not entirely neutralized.

We strongly advise the developer community to remain vigilant. The attacker’s continued infrastructure presence and persistence pose an ongoing threat. Developers should exercise caution, particularly when working with packages that resemble popular libraries like noblox.js.

Conclusion

This malware campaign, targeting Roblox developers through npm packages, has persisted for over a year. By mimicking the popular “noblox.js” library, attackers published dozens of malicious packages designed to steal sensitive data and compromise systems.

Central to the malware’s effectiveness is its approach to persistence, leveraging the Windows Settings app to ensure sustained access.

The discovery of these malicious NPM packages serves as a stark reminder of the persistent threats facing the developer community. By masquerading as legitimate, helpful libraries, attackers continue to find new ways to exploit trust within the open-source ecosystem.

This campaign underscores the critical importance of thoroughly vetting packages before incorporation into projects. Developers must remain vigilant, verifying the authenticity of packages, especially those resembling popular libraries, to protect themselves and their users from such sophisticated supply chain attacks.

As part of the CheckmarxSupply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.

Packages

  • noblox.js-async
  • noblox.js-thread
  • noblox.js-api
  • noblox.js-threads

IOC

  • hxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/Client-built.exe
  • hxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/cmd.exe
  • hxxps[:]//discord[.]com/api/webhooks/1273489016658071624/HWeSPo3qKIbUbqkwiWNoTneHoqo70s5aAYf9NBkAxoICy1SBMezf9ka22Ry59WK1kwYk
Malicious npm Packages Targeting Roblox Users (2024)
Top Articles
Find a puppy | The Kennel Club
Puppies Don't Belong on Craigslist or Facebook - Whole Dog Journal
Obituaries in South Bend, IN | South Bend Tribune
The Girl Next Door | Rotten Tomatoes
Walmart Automotive Number
Ascension St. Vincent's Lung Institute - Riverside
Mapgeo Nantucket
Edgenuity Answer Key Algebra 1 Pdf
What Auto Parts Stores Are Open
Saydel Botanica
I Don'T Give A Rat'S Ass: The Meaning And Origin Of This Phrase - Berry Patch Farms
Target Nytimes
Dusk Hypixel Skyblock
Paperless Pay.talx/Nestle
How To Start Reading Usagi Yojimbo [Guide + Reading Order]
T33N Leaks 5 17
Journeys Employee Discount Limit
Rancho Medanos Schedule
Bank Of America.aomc
ACCESS Arts Live --- Online Performing Arts for All on LinkedIn: Leeds International Piano Competition 2024 | Second Round | 12 September…
Cellmapper Verizon
Tyrone Unblocked Games Bitlife
Wisconsin Volleyball Team Full Leaks
Espn College Basketball Scores
5128 Se Bybee Blvd
Bodek And Rhodes Catalog
Rolling-Embers Reviews
7148646793
Hanging Hyena 4X4
Rainfall Map Oklahoma
Brgeneral Patient Portal
2005 Lund Boat For Sale in Ham Lake, MN Lot #67597***
Skip The Games Albany
R/Moissanite
John Deere 7 Iron Deck Parts Diagram
About Baptist Health - Baptist Health
Petra Gorski Obituary
1 Filmy4Wap In
Busted Newspaper Mcpherson Kansas
Atlanta Farm And Garden By Owner
Windows 10 schnell und gründlich absichern
5613192063
Mazda 6 GG/GG1; GY/GY1 2.3 MPS Test : MPSDriver
Espn Masters Leaderboard
Braveheart Parents Guide
High Balance Bins 2023
Backrooms Level 478
Pay My Sewer Bill Long Island
Ladyva Is She Married
Milly Bobby Brown Nsfw
Vizio 75 Inch Tv Weight
What stores are open on Labor Day 2024? A full list of where to shop
Latest Posts
Article information

Author: Edmund Hettinger DC

Last Updated:

Views: 6243

Rating: 4.8 / 5 (58 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.