Full Report
For over a year, a persistent malware campaign has been targeting Roblox developers through malicious NPM packages. By mimicking the popular “noblox.js” library, attackers have published dozens of packages designed to steal sensitive data and compromise systems. This campaign exploits trust in the open-source ecosystem, particularly targeting the Roblox platform, an attractive target due to its massive user base of over 70 million daily active users. Despite multiple package takedowns, new malicious packages continue to appear on the NPM registry at the time of publication, requiring developers to remain vigilant against this ongoing threat.Key PointsDozens of malicious npm packages mimicking the popular “noblox.js” library have been identified in a campaign dating back to August 2023, with the most recent ones appearing in late August 2024.The attackers of this campaign have employed techniques including brandjacking, combosquatting, and starjacking to create a convincing illusion of legitimacy for their malicious packages.The malware’s capabilities include Discord token theft, system information harvesting, system persistence, and deployment of additional payloads such as Quasar RAT.The malware employs a sophisticated persistence technique by manipulating the Windows registry, causing it to execute every time a user opens the Windows Settings app.While the identified malicious packages have been removed from npm, the attacker’s GitHub repository containing malicious executables remains active, posing a potential threat for future attacks.Malware in Disguise: The Social Engineering AspectThe attackers have employed a multi-faceted approach to craft an illusion of authenticity around their malicious packages.One deceptive tactic combines brandjacking and combosquatting — two methods that fall under the broader category of typosquatting. This strategy creates the illusion that their packages are either extensions of or closely related to the legitimate “noblox.js” library.For example: noblox.js-async, noblox.js-thread, and noblox.js-api.Since libraries commonly have multiple versions or extensions for specific use cases, mimicking this naming pattern increases the likelihood that developers will install the attackers’ packages, assuming they’re official extensions of “noblox.js.”Another tactic used is starjacking, a popular method attackers employ to fake their package stats. In this instance, the malicious packages were linked to the GitHub repository URL of the genuine “noblox.js” package. This tactic falsely inflates the perceived popularity and trustworthiness of the malicious packages.The attackers also used tactics to disguise the malware within the package itself. They meticulously mimicked the structure of the legitimate “noblox.js” but introduced their malicious code in the “postinstall.js” file. They heavily obfuscated this code, even including nonsensical Chinese characters to deter easy analysis.These combined techniques create a convincing façade of legitimacy, significantly increasing the chances of the malicious packages being installed and executed on developers’ systems. As reported in previous analyses by Socket, Stacklok and Reversinglabs, these tactics have been consistently employed and refined throughout the year-long campaign.Attack FlowThe malicious code exploits NPM’s postinstall hook, ensuring automatic execution when the package is installed. This hook, designed for legitimate setup processes, becomes a gateway for running the obfuscated malware without the user’s knowledge or consent.At first glance, the obfuscated code appears daunting and impenetrable. However, by simply using an online automated JavaScript deobfuscation tool, we were able to gain significant insight into the malicious code’s operation. This initial deobfuscation revealed the general steps the malware takes to achieve its objectives. Yet, the resulting code still contained confusing elements and required additional cleaning to fully comprehend its functionality. This process of incremental deobfuscation and analysis allowed us to piece together the complete attack flow, with its most notable details listed below.Discord Token TheftThe malware searches for Discord authentication tokens in multiple locations.The stolen tokens are then validated to ensure only active ones are exfiltrated.Antivirus EvasionThe malware aggressively undermines the system’s security measures. It first targets Malwarebytes, attempting to stop its service if running. This is followed by a more comprehensive attack on Windows Defender: the script identifies all disk drives and adds them to Windows Defender’s exclusion list. This action effectively blinds Windows Defender to any file on the system. By disabling third-party antivirus and manipulating built-in Windows security, the malware creates an environment where it can operate freely, significantly increasing its potential for damage and persistence.Additional Payload DeploymentThe malware expands its capabilities by downloading two additional executables from the attacker’s GitHub repository. These files, “cmd.exe” and “Client-built.exe”, are fetched using base64-encoded URLs and saved to the “C:\WindowsApi” directory with randomized names. The malware uses a combination of “nodeapi_” prefix and a unique hexadecimal string, likely to help the malicious files blend in with legitimate system files.Persistence MechanismTo ensure long-term access, the malware manipulates a Windows registry key to ensure it runs consistently on the infected system.Specifically, it adds the path of the downloaded “Client-built.exe” to the strategic registry location:“HKCU\Software\Classes\ms-settings\Shell\Open\command”By modifying this key, the malware hijacks legitimate Windows functionality. As a result, whenever a user attempts to open the Windows Settings app, the system inadvertently executes the malware instead.Data ExfiltrationThroughout its execution, the malware collects various types of sensitive information from the infected system. This data is packaged and sent to the attacker’s command and control server using a Discord webhook.QuasarRAT DeploymentThe final stage involves deploying QuasarRAT, a remote access tool that gives the attacker extensive control over the infected system.The AttackerThe second-stage malware originates from an active GitHub repository: https://github.com/aspdasdksa2/callback. As of this writing, the repository remains accessible and potentially in use for distributing malware through other packages. The repository, owned by user “aspdasdksa2”, contains multiple malicious executables. The repository’s continued existence and its content suggest ongoing malware development and distribution.Previous malicious npm packages were found to be linked to a different repository of that user for their second stage, but that repository is no longer accessible.Notably, the attacker maintains a second repository named “noblox-spoof”, which appears to house the latest malicious npm package content, directly referencing the target of this campaign.The most recent malicious packages impersonating the popular noblox.js library (four packages published by user “bicholassancheck14” — noblox.js-async, noblox.js-threads, noblox.js-thread, and noblox.js-api) have been taken down after we promptly reported them to npm’s security team. While this is a positive development, it’s important to note that the threat is not entirely neutralized.We strongly advise the developer community to remain vigilant. The attacker’s continued infrastructure presence and persistence pose an ongoing threat. Developers should exercise caution, particularly when working with packages that resemble popular libraries like noblox.js.ConclusionThis malware campaign, targeting Roblox developers through npm packages, has persisted for over a year. By mimicking the popular “noblox.js” library, attackers published dozens of malicious packages designed to steal sensitive data and compromise systems.Central to the malware’s effectiveness is its approach to persistence, leveraging the Windows Settings app to ensure sustained access.The discovery of these malicious NPM packages serves as a stark reminder of the persistent threats facing the developer community. By masquerading as legitimate, helpful libraries, attackers continue to find new ways to exploit trust within the open-source ecosystem.This campaign underscores the critical importance of thoroughly vetting packages before incorporation into projects. Developers must remain vigilant, verifying the authenticity of packages, especially those resembling popular libraries, to protect themselves and their users from such sophisticated supply chain attacks.As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.Checkmarx One customers are protected from this attack.Packagesnoblox.js-asyncnoblox.js-threadnoblox.js-apinoblox.js-threadsIOChxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/Client-built.exehxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/cmd.exehxxps[:]//discord[.]com/api/webhooks/1273489016658071624/HWeSPo3qKIbUbqkwiWNoTneHoqo70s5aAYf9NBkAxoICy1SBMezf9ka22Ry59WK1kwYkYear-Long Campaign of Malicious npm Packages Targeting Roblox Users was originally published in Checkmarx Zero on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Tool/Technique: Malicious NPM Packages Mimicking noblox.js
## Overview
A persistent malware campaign targeting Roblox developers by publishing malicious NPM packages designed to look like legitimate extensions or versions of the popular `noblox.js` library. The primary goal is sensitive data theft, system compromise, and establishing persistence on victim systems.
## Technical Details
- Type: Malware Campaign / Supply Chain Attack (via Malicious Package Distribution)
- Platform: Windows (implied by registry manipulation for persistence and targeting Malwarebytes/Windows Defender)
- Capabilities: Discord token theft, system information harvesting, system persistence, and deployment of secondary payloads (e.g., Quasar RAT).
- First Seen: Campaign dating back to August 2023.
## MITRE ATT&CK Mapping
The observed behavior maps across several ATT&CK tactics:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Leveraging the NPM mechanism for code execution upon installation)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Manipulation of Windows Registry for persistence via Settings app launch)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (Potentially implicated if secondary payloads use trusted mechanisms)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling/Excluding Windows Defender, targeting Malwarebytes)
- **TA0009 - Collection**
- T1003.001 - OS Credential Dumping: LSASS Memory (Implied if harvesting system data aggressively)
- T1114.002 - Email Collection (If Discord tokens are exfiltrated via webhooks)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Stealing Discord tokens)
## Functionality
### Core Capabilities
- **Supply Chain Compromise:** Exploiting the NPM postinstall hook (`postinstall.js`) to execute obfuscated malicious code automatically upon package installation.
- **Data Theft:** Searching for and validating active Discord authentication tokens for exfiltration.
- **System Harvesting:** Gathering general system information.
### Advanced Features
- **Evasion & Persistence:** Aggressively attempting to disable security products:
1. Stopping the Malwarebytes service if found running.
2. Identifying all disk drives and adding them to the Windows Defender exclusion list, effectively blinding the built-in antivirus.
- **Sophisticated Persistence:** Manipulating the Windows registry to ensure execution every time the user opens the Windows Settings application.
- **Payload Deployment:** Downloading and executing additional payloads, specifically mentioning Quasar RAT and other executables (`Client-built.exe`, `cmd.exe`).
- **Social Engineering:** Employing **Brandjacking**, **Combosquatting** (e.g., `noblox.js-async`), and **Starjacking** (linking malicious packages to the legitimate repository's GitHub URL) to gain developer trust.
## Indicators of Compromise
- File Hashes: [Not provided in article]
- File Names: `Client-built.exe`, `cmd.exe` (downloaded payloads)
- Registry Keys: Mentioned manipulation of Windows Registry for persistence via Settings app launch.
- Network Indicators:
- C2/Payload Download URL: `hxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/`
- Discord Webhook URL: `hxxps[:]//discord[.]com/api/webhooks/1273489016658071624/HWeSPo3qKIbUbqkwiWNoTneHoqo70s5aAYf9NBkAxoICy1SBMezf9ka22Ry59WK1kwYk`
- Behavioral Indicators: Execution of code from `postinstall.js` during NPM installation; persistence mechanism triggering on Windows Settings launch; attempting to stop system security processes.
## Associated Threat Actors
The specific threat actor group name is not provided, but the activity is attributed to persistent attackers maintaining infrastructure (including an active GitHub repository) over a year-long campaign.
## Detection Methods
- Signature-based detection: Signatures for the identified malicious package names and associated file hashes (if hashes were released).
- Behavioral detection: Monitoring `npm install` processes for execution of code within `postinstall.js`, registry modifications associated with the Settings app launch, and API calls related to disabling security components (e.g., modifying Windows Defender exclusion lists).
- YARA rules: Could be developed based on the obfuscated code patterns found within the `postinstall.js` file.
## Mitigation Strategies
- **Vetting Packages:** Thoroughly vetting all dependencies, especially those resembling popular libraries (brandjacking/combosquatting risks).
- **Supply Chain Security:** Utilizing specialized supply chain security solutions to monitor package authenticity signals.
- **Principle of Least Privilege:** Restricting execution rights where possible in development environments.
- **Security Hardening:** Ensure Windows Defender is not manipulated (e.g., monitor registry keys controlling exclusions).
- **Awareness:** Developer teams must be aware of common typosquatting and social engineering techniques (`starjacking`).
## Related Tools/Techniques
- Luna Grabber (mentioned in external reference)
- Quasar RAT (explicitly downloaded as a secondary payload)
- Typosquatting (General technique encompassing Combosquatting and Brandjacking)