Beware: Roblox Devs Targeted by Malicious npm Packages

Threat actors published five malicious npm packages (node-dlls, ro.dll, autoadv, and two versions of rolimons-api) impersonating legitimate Roblox developer modules, which are designed to steal credentials and personal data, were downloaded over 320 times before removal. 

The attack leveraged typosquatting, supply chain compromise, and readily available malware to bypass security measures, which underscores the vulnerability of the open-source ecosystem to such attacks.

Roblox, a popular online platform and game creation system, faces ongoing cyber threats due to its massive user base and developer community. Recent attacks, such as the malicious package incident in early 2024, highlight the persistent risk of unauthorized access and data theft. 

Attackers exploit the platform’s popularity and the community’s reliance on open-source code to distribute malicious software and compromise accounts, which underscores the need for robust security measures to protect both users and developers within the Roblox ecosystem.

They targeted Roblox developers by publishing malicious npm packages that mimicked popular development tools, as these malicious packages, node-dlls and rolimons-api, were designed to steal sensitive information. 

Once installed, these packages downloaded and executed Skuld infostealer and Blank Grabber malware, compromising the security of developers’ systems and potentially their projects. 

Skuld InfoStealer and Blank Grabber are two malware families targeting Windows systems. Skuld, a Go-based tool, extracts sensitive data from various applications, including browsers and cryptocurrency wallets, while evading security measures. 

While Blank Grabber, a Python-based malware, steals similar data and offers a user-friendly interface for customization. Both malware families pose significant threats to user privacy and security and have been observed in recent cyberattacks. 

Skuld infostealer on the left and Blank Grabber malware on the right showing credential-stealing capability

The malicious npm packages, identified by Socket’s AI scanner, contained heavily obfuscated JavaScript code, which was designed to download and execute malicious executables from external sources. 

While the use of `exec` to run downloaded content without user consent is a strong indicator of malicious intent. The attackers used Discord and Telegram for command and control (C2) communication, complicating detection efforts due to their legitimate use by the platforms’ developers.

The malicious code leverages GitHub to host and download obfuscated JavaScript payloads, which, once executed, download and run malicious executables, specifically the Skuld infostealer and Blank Grabber malware.

Currently defunct GitHub repository that was used by the threat actor to host malware

By utilizing PowerShell for execution, the threat actor can bypass security measures and gain unauthorized access to the victim’s system, enabling data theft and potential further malicious activities.

According to Socket, threat actors are exploiting the growth of open-source ecosystems by targeting developers with malicious code disguised as legitimate packages. They leverage techniques like typosquatting and infiltrating trusted platforms to compromise applications. 

To mitigate these risks, developers must prioritize security by carefully verifying package names, reviewing third-party code, and utilizing security tools to identify and prevent malicious packages.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here