In a concerning development, more than a dozen malicious packages have been discovered on the npm package repository, targeting Roblox game developers. These packages, which have been active since the beginning of August 2023, carry a malicious payload capable of deploying an open-source information stealer called Luna Token Grabber onto systems owned by Roblox developers. This attack campaign, reminiscent of a similar incident from October 2021, highlights the ongoing challenges in securing software supply chains against sophisticated threats.
The Reemergence of a Familiar Threat
Security researchers at ReversingLabs first detected this malicious npm package campaign on August 1, 2023. The attack revolves around packages that mimic the legitimate "noblox.js" API wrapper, commonly used by developers to create scripts that interact with the Roblox gaming platform. The attackers ingeniously reproduce code from the authentic noblox.js package while adding malicious functions designed to steal sensitive information.
Attack Details and Package Names
The malicious packages, which were downloaded a total of 963 times before they were removed, were crafted with deceptive package names to blend in with legitimate software. Notably, the rogue packages included: • noblox.js-vps (versions 4.14.0 to 4.23.0) • noblox.js-ssh (versions 4.2.3 to 4.2.5) • noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)
Distinct Characteristics and the Role of Luna Token Grabber
While there are similarities between this attack and a previous one in 2021, this campaign showcases unique attributes. One notable aspect is the deployment of an executable that delivers the Luna Token Grabber, an open-source information-stealing tool. This multi-stage infection sequence is a rare occurrence on the npm package repository, indicating the increased complexity and sophistication of modern supply chain attacks.
The Thin Line Between Sophistication and Disguise
According to Lucija Valentić, a software threat researcher at ReversingLabs, the distinction between sophisticated and unsophisticated attacks often hinges on the effort malicious actors invest in disguising their activities. The malicious npm packages in question adeptly conceal their malevolent functionality within a file named "postinstall.js," which is executed after installation.
Camouflaging the Attack: How It Works
The genuine noblox.js package utilizes a file with the same name, "postinstall.js," to display a thank you message to users and provide links to documentation and its GitHub repository. In contrast, the malicious variants leverage this JavaScript file to identify whether the package is installed on a Windows machine. If the condition is met, the attacker triggers the download and execution of a second-stage payload hosted on Discord CDN. Alternatively, an error message may be displayed.
Mitigated Threat: System Information Harvesting
The current npm campaign seems focused on harvesting system information from victims, employing a configurable builder provided by the authors of Luna Token Grabber. This restraint might suggest that the threat actor behind the campaign has chosen not to escalate the attack to more damaging stages, but the potential consequences remain concerning for Roblox developers.
The resurgence of malicious npm packages targeting Roblox game developers highlights the persistent threat posed by supply chain attacks. With attackers constantly evolving their tactics and techniques, software developers must remain vigilant and adopt robust security measures to safeguard their development environments. The npm community, security researchers, and software developers need to collaborate closely to detect and mitigate these threats effectively and ensure the integrity of the software supply chain.
