Roblox developers are the target of an ongoing campaign to compromise systems with fake npm packages, once again highlighting how threat actors continue to exploit trust in the open source ecosystem to deliver malware.
“By mimicking the popular ‘noblox.js’ library, attackers have published dozens of packages designed to steal sensitive data and compromise systems,” – Checkmarx researcher Yehuda Gelb. said in the technical report.
There were details about the company documented for the first time ReversingLabs in August 2023 as part of a company which delivered a heist called the Luna Token Grabber, which it said was “a repeat of an attack discovered two years ago” in October 2021.
Since the beginning of the year, two more packages have called noblox.js proxy server and nobloks-ts have been identified as malicious and impersonating the popular Node.js library to deliver malware and a remote access trojan called Quasar RAT.
“The attackers in this campaign used techniques such as brandjacking, combosquatting and starking to create a convincing illusion of legitimacy for their malicious packages,” said Gelb.
To this end, the packages are given the appearance of legitimacy by naming them noblox.js-async, noblox.js-thread, noblox.js-threads, and noblox.js-api, giving unsuspecting developers the impression that these libraries are related to the legitimate “noblox .js”.
The package download statistics are given below –
Another technique used is stars, in which fake packages list the source repository as the repository of the real noblox.js library to make it appear more authoritative.
The malware embedded in the latest iteration acts as a gateway to serve additional payloads hosted on the GitHub repositorywhile simultaneously stealing Discord tokens, updating the Microsoft Defender Antivirus exclusion list to avoid detection, and configuring security by modifying the Windows registry.
“A key driver of the malware’s effectiveness is its persistence approach, which uses the Windows Settings program to ensure persistent access,” Gelb noted. “As a result, every time a user tries to open Windows Settings, the system inadvertently launches malware instead.”
The ultimate goal of the attack chain is the deployment of the Quasar RAT, which gives the attacker remote control over the infected system. The collected information is transmitted to the attacker’s Command and Control (C2) server using a Discord webhook.
Evidence suggests that a steady stream of new packages continues to be published despite removal efforts, so developers need to remain vigilant about the ongoing threat.
