The new campaign targeted an npm package repository with malicious JavaScript libraries designed to infect Roblox users with open source malware such as Indebtedness and Blank-grabber.
“This incident highlights the alarming ease with which threat actors can attack supply chains by exploiting trust and human error in the open source ecosystem and using readily available malware, public platforms such as GitHub to host malicious executables, and communication channels such as Discord and Telegram for C2 operations to bypass traditional security measures.” — Socket security researcher Kirill Boichenko said in a report shared with The Hacker News.
The list of malicious packages is as follows –
It should be noted that “node-dlls” is an attempt on the part of the threat actor to impersonate a legitimate node-dll package that offers doubly linked list implementation for JavaScript. Likewise, rolimons-api is a cheat option Rolimon API.
“While there are unofficial wrappers and modules — such as rolimones The Python package (downloaded more than 17,000 times) and Rolimons The Lua module on GitHub — the rolimons-api malicious packages sought to exploit developers’ trust in familiar names,” Boychanka noted.
The fake packages include obfuscated code that downloads and executes Skuld and Blank Grabber, families of stealing malware written in Golang and Python, respectively, that are capable of collecting a wide range of information from infected systems. The resulting data is then transmitted to the attacker via a Discord or Telegram webhook.
In a further attempt to bypass security measures, the malware binaries are extracted from a GitHub repository (“github(.)com/zvydev/code/”) controlled by the threat actor.
The popularity of Roblox in recent years has led to threat actors actively promoting fake packages to both developers and users. Several earlier this year harmful packages like noblox.js-proxy-server, noblox-ts and noblox.js-async were found to mimic the popular noblox.js library.
Because bad actors use widespread package trust to push packages that were printed, developers are encouraged to check package names and carefully study the source code before downloading them.
“As open source ecosystems grow and more developers rely on shared code, the attack surface expands and threat actors look for more opportunities to inject malicious code,” said Boychanka. “This incident highlights the need for increased awareness and robust security practices among developers.”
