Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise

The world was just coming to terms with the “ua-parser-js” npm library hijacking incident, and Sonatype’s discovery of crypto-mining malware from last week, when we found a bigger, and spookier, issue just in time for Halloween.

AWS Builder Community Hub

Could threat actors abuse open source ecosystems, like npm, PyPI, and Rubygems, to deploy ransomware? This crucial question was raised for the first time because of our most recent discovery of malicious npm packages:

  • Noblox.js-proxy
  • Noblox.js-proxies

The answer was an unequivocal yes. Let me go into the full details. These typosquatting packages mimic noblox.js, a popular Roblox game API wrapper that exists on npm as both a standalone package, along with legitimate variants such as “noblox.js-proxied” (ending in ‘d’ not ‘s’). Both of these have been tracked under sonatype-2021-1526 in our security research data.

Noblox.js is an open source JavaScript API for the popular game Roblox. Users commonly utilize this library, downloaded over 700,000 times to date, to create in-game scripts that interact with the Roblox website. Since we discovered the two typosquats so quickly, they both had minimal impact with Noblox.js-proxy seeing 281 total downloads and Noblox.js-proxies seeing 106 total downloads, but it’s clear what type of scale the threat actors were hoping for going after such a popular component.

But, the developers behind malicious typosquats noblox.js-proxy and noblox.js-proxies have implemented some extra unwanted functionalities—trojans, ransomware, and even a spooky surprise.

While Noblox.js-proxy was flagged by Sonatype’s automated malware detection system, when investigating this package, our security research team also came across noblox.js-proxies. This highlights the importance of combining automation and human research in protecting our open source ecosystems – and why we at Sonatype have not only built the system to find the issues, but employ an (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Juan Aguirre. Read the original post at: