Roblox Game Developers Facing Threat from Over a Dozen Malicious npm Packages

Roblox Game Developers Facing Threat from Over a Dozen Malicious npm Packages

Since the beginning of August 2023, over twelve malicious packages have been found in the npm package repository. These packages have the ability to install an open-source information stealer named Luna Token Grabber on systems owned by Roblox developers.

Malicious npm Packages

Since August 1, an ongoing effort was discovered by ReversingLabs. This effort uses modules that pretend to be the real package noblox.js. This package is a tool that helps make scripts for the Roblox gaming platform.

The company that focuses on securing software supply chains compared this to a similar attack from two years ago, in October 2021.

In an analysis on Tuesday, software threat researcher Lucija Valentić explained that the harmful packages “…copy code from the real noblox.js package but also include dangerous functions meant to steal information.”


The packages were downloaded a total of 963 times before they were removed. The packages that caused the issue had these names:

  • noblox.js-vps (versions 4.14.0 to 4.23.0)
  • noblox.js-ssh (versions 4.2.3 to 4.2.5)
  • noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

Although the general pattern of this recent attack resembles the previous one, it also shows some unique traits. One key difference is in the use of an executable that carries Luna Grabber.


This occurrence is an unusual case of a multi-stage infection process found on npm, as stated by ReversingLabs.

“Regarding harmful campaigns that focus on software sources, the distinction between complex and simple attacks usually centers on how much the malicious individuals try to hide their attack and make their harmful packages seem valid,” highlighted Valentić.

The modules, in particular, skillfully hide their harmful functions in a distinct file named postinstall.js, which activates after the installation is completed. This is because the legitimate noblox.js package uses a file with the same name to show appreciation to its users, along with links to its documentation and GitHub repository.


ReversingLabs reported that the second stage evolved with each update, adding more features and obfuscation to prevent analysis. The main task of this script is to download Luna Token Grabber, a Python tool capable of collecting credentials from web browsers and Discord tokens.

Surprisingly, the perpetrator of the npm campaign seems to have chosen to gather only system information from victims using a customizable builder provided by the authors of Luna Token Grabber.

Luna Token Grabber has been encountered before. In June, Trellix revealed a new information-stealing tool called Skuld, built in Go, which shares similarities with this malware strain.

Indicators of Compromise (IoCs) – npm packages

package_nameversionSHA1
noblox.js-vps4.14.06c5c33d7dc70e18287dff364dea6f75395f13d5e
noblox.js-vps4.15.0f7fd66cca3d60db664f4495ac4247850820487d5
noblox.js-vps4.16.0ff0f7108b310818a05e5a2ddb929758c80f325b3
noblox.js-vps4.17.08e7208dca6c3be903fd9711522ac5e4c6292aae9
noblox.js-vps4.18.0f398b213ba8b53645a9e018b3c626f5af93e39ce
noblox.js-vps4.19.013ddeea9d9ca03dffc3dbb28ecf57c1aa408b06e
noblox.js-vps4.20.0a7521ed8c64a8ad0c7923b33a793493f3ef54ec8
noblox.js-vps4.21.0c505d9f99ef4628e345d18681126959352cfd612
noblox.js-vps4.22.0421f5f6522afe0329847d0cd1cf0163f6c8c5430
noblox.js-vps4.23.021d368c68b40fc0a9f5403cc1d9160cd2326d8ee
noblox.js-ssh4.2.34f83a57e3e74698cdb5a7c15e17d396f68d3ac29
noblox.js-ssh4.2.40c3fec3308d3f475b6343df7369835f120712a07
 noblox.js-ssh4.2.51ffc56b5b0bc1c5c845c78b7230d00877d5c57e4
noblox.js-secure4.1.006209e3806220cf453fbfa5f27d04c2c4c402007
noblox.js-secure4.2.035086a14a572a19884fb9b912fda619c6f01699c
noblox.js-secure4.2.13a5e75a3d62c5e213798589d90fb696d791f6095
noblox.js-secure4.2.2f0d31b98e261b99bf12de9b800f8a931d672fa03
noblox.js-secure4.2.3fcd4ab5b8ddc002c71f1c9f8c5038a9a331a8716

Second stage payloads:

SHA1
968963b2950e4f8571a9ca84db69d6482335cfc1
21fa7478e0b7d5fc1752cdff9659095229fc0b1c
28d0c86f9785efcc6c23e6b68690fe20070755ce
23351a652d8e63853f724ad9f2a347f42bb1d7bb
1fa91486601d02038bcb266b819d20c550a861ea

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!