Roblox Game Developers Facing Threat from Over a Dozen Malicious npm Packages

Since the beginning of August 2023, over twelve malicious packages have been found in the npm package repository. These packages have the ability to install an open-source information stealer named Luna Token Grabber on systems owned by Roblox developers.

Malicious npm Packages

Since August 1, an ongoing effort was discovered by ReversingLabs. This effort uses modules that pretend to be the real package noblox.js. This package is a tool that helps make scripts for the Roblox gaming platform.

The company that focuses on securing software supply chains compared this to a similar attack from two years ago, in October 2021.

In an analysis on Tuesday, software threat researcher Lucija Valentić explained that the harmful packages “…copy code from the real noblox.js package but also include dangerous functions meant to steal information.”

The packages were downloaded a total of 963 times before they were removed. The packages that caused the issue had these names:

noblox.js-vps (versions 4.14.0 to 4.23.0)
noblox.js-ssh (versions 4.2.3 to 4.2.5)
noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

Although the general pattern of this recent attack resembles the previous one, it also shows some unique traits. One key difference is in the use of an executable that carries Luna Grabber.

This occurrence is an unusual case of a multi-stage infection process found on npm, as stated by ReversingLabs.

“Regarding harmful campaigns that focus on software sources, the distinction between complex and simple attacks usually centers on how much the malicious individuals try to hide their attack and make their harmful packages seem valid,” highlighted Valentić.

The modules, in particular, skillfully hide their harmful functions in a distinct file named postinstall.js, which activates after the installation is completed. This is because the legitimate noblox.js package uses a file with the same name to show appreciation to its users, along with links to its documentation and GitHub repository.

ReversingLabs reported that the second stage evolved with each update, adding more features and obfuscation to prevent analysis. The main task of this script is to download Luna Token Grabber, a Python tool capable of collecting credentials from web browsers and Discord tokens.

Surprisingly, the perpetrator of the npm campaign seems to have chosen to gather only system information from victims using a customizable builder provided by the authors of Luna Token Grabber.

Luna Token Grabber has been encountered before. In June, Trellix revealed a new information-stealing tool called Skuld, built in Go, which shares similarities with this malware strain.

Indicators of Compromise (IoCs) – npm packages

package_name	version	SHA1
noblox.js-vps	4.14.0	6c5c33d7dc70e18287dff364dea6f75395f13d5e
noblox.js-vps	4.15.0	f7fd66cca3d60db664f4495ac4247850820487d5
noblox.js-vps	4.16.0	ff0f7108b310818a05e5a2ddb929758c80f325b3
noblox.js-vps	4.17.0	8e7208dca6c3be903fd9711522ac5e4c6292aae9
noblox.js-vps	4.18.0	f398b213ba8b53645a9e018b3c626f5af93e39ce
noblox.js-vps	4.19.0	13ddeea9d9ca03dffc3dbb28ecf57c1aa408b06e
noblox.js-vps	4.20.0	a7521ed8c64a8ad0c7923b33a793493f3ef54ec8
noblox.js-vps	4.21.0	c505d9f99ef4628e345d18681126959352cfd612
noblox.js-vps	4.22.0	421f5f6522afe0329847d0cd1cf0163f6c8c5430
noblox.js-vps	4.23.0	21d368c68b40fc0a9f5403cc1d9160cd2326d8ee
noblox.js-ssh	4.2.3	4f83a57e3e74698cdb5a7c15e17d396f68d3ac29
noblox.js-ssh	4.2.4	0c3fec3308d3f475b6343df7369835f120712a07
noblox.js-ssh	4.2.5	1ffc56b5b0bc1c5c845c78b7230d00877d5c57e4
noblox.js-secure	4.1.0	06209e3806220cf453fbfa5f27d04c2c4c402007
noblox.js-secure	4.2.0	35086a14a572a19884fb9b912fda619c6f01699c
noblox.js-secure	4.2.1	3a5e75a3d62c5e213798589d90fb696d791f6095
noblox.js-secure	4.2.2	f0d31b98e261b99bf12de9b800f8a931d672fa03
noblox.js-secure	4.2.3	fcd4ab5b8ddc002c71f1c9f8c5038a9a331a8716