A year-long malware campaign aimed at Roblox developers has been identified by security researchers at Checkmarx. The attackers are using malicious npm packages that impersonate the widely-used “noblox.js” library, creating numerous packages designed to steal sensitive data and compromise user systems.

This campaign has been operational for over a year, taking advantage of the inherent trust found within the open-source community. Roblox, with its extensive user base of over 70 million daily active users, has become a prime target for these attacks.

Despite various takedowns, new malicious packages continue to emerge, with some still active on the npm registry as of now.

Deceptive Tactics Employed

The attackers have employed sophisticated methods to create a veneer of legitimacy for their malicious packages. This involves a combination of brandjacking, combosquatting, and starjacking techniques.

By creating package names that resemble genuine extensions of the “noblox.js” library—such as “noblox.js-async,” “noblox.js-thread,” and “noblox.js-api”—the attackers increase the likelihood that unsuspecting developers will install their malicious versions.

Starjacking involves linking these packages to the legitimate library’s GitHub repository, artificially boosting their perceived popularity and credibility.

Additionally, the malware is cleverly concealed within the packages. The attackers replicate the legitimate structure of “noblox.js,” embedding their malicious code in the “postinstall.js” file while obfuscating it to prevent detection, even incorporating Chinese characters to complicate analysis.

These strategies create a compelling illusion of legitimacy, making it more likely for developers to install the harmful packages.

How the Attack Works

Once the malicious code is installed, it exploits npm’s “postinstall” hook to execute automatically—misusing a feature meant for legitimate installation processes to facilitate malware delivery.

The initially obfuscated code can be revealed using readily available online tools, showing that it steals Discord authentication tokens, disables security software like Malwarebytes and Windows Defender, and downloads additional payloads from the attacker’s GitHub repository.

The malware also uses advanced persistence techniques, modifying the Windows registry to ensure it runs every time the Windows Settings app is opened, thereby maintaining its presence on the infected system.

Throughout its operation, the malware collects sensitive information from the system, neatly packaging this data to send to the attacker’s command-and-control server via a Discord webhook.

Finally, the attack culminates with the deployment of QuasarRAT, a remote access tool that gives the attacker full control over the compromised system.

Ongoing Risks

The second-stage malware originates from an active GitHub repository: https://github.com/aspdasdksa2/callback—raising alarms that this infrastructure is still accessible and could be used for distributing malware through other unsuspecting packages.

While npm’s security team has removed the latest malicious packages, the ongoing presence of the attackers’ infrastructure poses a significant and persistent threat.

Developers, especially those using packages that resemble popular libraries like “noblox.js,” are strongly advised to exercise caution. It is crucial to thoroughly vet any packages before incorporating them into projects to safeguard against complex supply chain attacks like this one.

As attackers become increasingly adept at exploiting trust within the open-source ecosystem, vigilance and skepticism are more essential than ever.