These Roblox npm downloads could be infected with malware


Cyber ​​security researchers again found (and rooted out) the malicious npm packages, this time delivering ransomware and password-stealing Trojans on unsuspecting users.

Impersonating Roblox Javascript libraries, the two malicious npm packages have been named noblox.js-proxy and noblox.js-proxies, and use typo-squatting to present themselves to anyone looking for the legitimate Roblox API wrapper called noblox.js-proxied, by changing a single letter to the library name.

“These typosquatting packages mimic noblox.js, a popular Roblox game API wrapper that exists on npm as a stand-alone package, as well as legitimate variants such as noblox.js-proxied (ending in ‘d’ no ‘ s’) “, shares Sonatype security researcher Juan Aguirre.

Noblox.js is a Open source JavaScript API for popular roblox game. According to Aguirre, the library, which has recorded more than 700,000 downloads, is commonly used to create in-game scripts that interact with the Roblox website.

A sinister farce?

Analysis of malicious libraries revealed that their authors had stuffed them with malware, the MBRLocker ransomware masquerading as the notorious GoldenEye ransomware, a password stealing Trojan, plus a scary video.

Aguirre points out that the two typosquatting libraries could not do any real damage since they were captured shortly after their download, although they still managed to register 281 and 106 downloads respectively.

“… but it’s clear at what kind of scale threat actors hoped to tackle such a popular component,” Aguirre notes.

Interestingly, this attempt to deliver ransomware comes just days after Sonatype researchers discovered a bold attempt by malicious actors to hijack the developer’s account of the widely used software. UAParser.js library to replace legitimate code with malicious code infused with malware and Trojans.

While Sonatype believes the bogus roblox libraries were likely planted as a prank, the incident is yet another indication that opponents are not going to stop abusing popular open source repositories anytime soon.

Leave A Reply

Your email address will not be published.