A recent malware campaign targeting the npm (Node Package Manager) repository has raised alarms within the open-source ecosystem. Malicious packages are actively impersonating legitimate libraries, aiming to infect Roblox users with data-stealing malware. This campaign highlights a growing trend of supply chain attacks that exploit trust in widely-used open-source platforms.
Targeted npm Packages and Malware Variants
The campaign’s primary goal is to infect users with Skuld and Blank-Grabber—open-source stealer malware variants developed in Golang and Python. These malware strains collect sensitive information from infected devices and send it to attackers via Discord webhooks and Telegram channels. Socket security researcher Kirill Boychenko detailed how the attackers leverage open-source resources, GitHub repositories, and communication platforms to distribute and control their malware.
List of Malicious Packages:
- node-dlls (77 downloads): A misleading variant of "node-dll," designed to confuse developers into downloading it.
- ro.dll (74 downloads): Likely referencing “Roblox DLL” to appeal to Roblox developers.
- autoadv (66 downloads): A generic name to increase download appeal.
- rolimons-api (107 downloads): Impersonates Rolimon’s API, a trusted tool in the Roblox community.
While legitimate Rolimon wrappers are popular, such as the rolimons Python package with over 17,000 downloads, malicious rolimons-api packages exploit familiar names to increase trust and downloads.
How the Attack Works
The attackers use obfuscation to conceal the malicious code within these packages, making it difficult for security tools to detect. Upon installation, the malware downloads and executes the Skuld and Blank-Grabber payloads from a GitHub repository controlled by the attackers (“github[.]com/zvydev/code”). Once installed, these malware strains harvest various types of sensitive data from infected systems.
In an effort to bypass traditional security measures, the malware exfiltrates data via Discord webhooks and Telegram channels, two common communication platforms that evade many standard detection systems.
Roblox’s Popularity Makes It a Prime Target
As Roblox’s user base and developer community continue to grow, threat actors see it as an attractive target for typosquatting attacks—a tactic where attackers create packages with names similar to legitimate libraries. Previous incidents this year involved fake packages like noblox.js-proxy-server, noblox-ts, and noblox.js-async—all impersonating noblox.js, a popular library for Roblox development.
Mitigation and Recommendations
This incident underscores the importance of supply chain security and the need for enhanced vigilance when using open-source packages. As open-source ecosystems expand, attackers find more opportunities to embed malicious code into widely-used repositories.
Best Practices for Developers:
- Verify Package Names: Be cautious of packages with similar names to well-known libraries. Typosquatting is a common tactic to deceive developers.
- Inspect Source Code: Review the code and associated GitHub repositories before installing a new package.
- Enable Security Tools: Use package managers or tools that can detect and alert about potential security risks in dependencies.
- Stay Informed: Keep up-to-date with security advisories related to the tools and libraries you use, especially if they come from open-source repositories.
The growing reliance on open-source code has broadened the attack surface for supply chain threats. This campaign targeting Roblox developers via npm packages serves as a reminder of the evolving tactics used by attackers. Increased awareness and rigorous security practices among developers are crucial to safeguarding the open-source ecosystem against such threats.
