Hackers Used npm Malicious Packages to Compromise Roblox API Users

Security researchers have identified several malicious npm packages that seek to trick Roblox API users into downloading a type of malware named Luna Grabber.

There’s no end to hackers’ efforts to spread npm malicious packages. Since they are essential to many developers and programmers, it’s clear why hackers are targeting them. Implementing a malicious library, npm package or any other type of component would give attackers direct access.

In this case, Roblox API users need various npm packages to write scripts for the immensely popular Roblox gaming platform.

“The legitimate noblox.js package is an open-source Roblox API wrapper that enables gamers to use JavaScript to create useful scripts to interact with the Roblox website, for example by ‘promoting users, shout events, and so on, or to create Discord utilities to manage their community’” explainedReversingLabs’ security researchers.

Of course, downloading a non-functional package would be useless, so the malicious package has the same functionality as the original but with malware sprinkled in.

“The only difference between a legitimate package and a malicious one was that a malicious payload was put inside a separate file, postinstall.js, that is called after installation of the main npm package is complete,” researchers said.

All the effort was directed towards tricking developers into deploying a piece of  malware named Luna Grabber that can steal information from web browsers, Discord and other locally stored data. It’s also quite capable of determining if it’s deployed in a virtual machine, in which case it automatically destroys itself.

All the npm packages involved in this campaign have since been taken down, but it pays to be extra careful when downloading packages and ensure that the names are correct.