A sustained malware campaign targeting Roblox developers through malicious npm packages has been uncovered by Checkmarx security researchers. The attackers are impersonating the popular “noblox.js” library, publishing dozens of packages designed to steal sensitive information and compromise systems.
The campaign, which has been active for over a year, exploits trust in the open-source ecosystem. It particularly targets the Roblox platform, a lucrative target due to its massive user base of over 70 million daily active users.
Despite multiple takedowns, new malicious packages continue to appear. Worryingly, some remain active on the npm registry as of the time of writing.
Malware in disguise
The attackers have gone to great lengths to craft an illusion of legitimacy around their malicious packages. This involves a sophisticated mix of brandjacking, combosquatting, and starjacking techniques.
This strategy involves creating names that suggest the packages are either extensions of or closely related to the genuine “noblox.js” library. For example, “noblox.js-async,” “noblox.js-thread,” and “noblox.js-api.”
As libraries often have multiple versions or extensions, mimicking this naming pattern makes it more likely unsuspecting developers will install the malicious packages.
Starjacking is another tactic employed to further the illusion of legitimacy. By linking the malicious packages to the GitHub repository URL of the legitimate library, the attackers falsely inflate their packages’ perceived popularity and trustworthiness.
Even the malware within the package is carefully disguised. The attackers mimicked the structure of the legitimate “noblox.js” but introduced their malicious code within the “postinstall.js” file. They then heavily obfuscated this code, including Chinese characters to deter analysis.
These combined techniques create a convincing façade of legitimacy, significantly increasing the likelihood of the malicious packages being installed and executed.
Attack flow
Once installed, the malicious code exploits npm’s “postinstall” hook to execute automatically—a feature designed for legitimate setup processes is turned into a gateway for the malware.
The initially obfuscated code can be deobfuscated using readily available online tools, revealing the malware’s operation. The code steals Discord authentication tokens, disables security measures like Malwarebytes and Windows Defender, and downloads additional payloads from the attacker’s GitHub repository.
Furthermore, the malware employs a sophisticated persistence technique. It manipulates the Windows registry to execute itself every time the Windows Settings app is opened, ensuring its survival on the infected system.
Throughout its execution, the malware gathers sensitive system information and packages it neatly to send to the attacker’s command-and-control server via a Discord webhook.
Finally, the coup de grâce comes with the deployment of QuasarRAT—a remote access tool granting the attacker comprehensive control over the compromised system.
Ongoing threat
The second-stage malware originates from an active GitHub repository: https://github.com/aspdasdksa2/callback—a worrying sign that this infrastructure remains both accessible and potentially in use for distributing malware through other unsuspecting packages.
While the most recent malicious packages have been removed by npm’s security team, the attacker’s continued infrastructure presence and persistence represents a very real and ongoing threat.
Developers, particularly those working with packages resembling popular libraries like “noblox.js,” are urged to exercise extreme caution. Thoroughly vetting packages before incorporation into projects is a necessity to protect developers and users from sophisticated supply chain attacks like this.
Attackers are becoming increasingly savvy, finding new and ingenious ways to exploit trust within the open-source ecosystem. Vigilance and a healthy dose of scepticism is more vital than ever.