Malicious NPM package disguises itself to steal Roblox data
Malicious NPM package disguises itself to steal Roblox data
A new threat to Roblox players comes in the form of a malicious impersonator of official Noblox.js and Noblox.js open-source downloads.
Noblox.js is an open-source Roblox API wrapper written in JavaScript that interacts with the game’s website.
Seeing 1,642 weekly downloads, this is one of Roblox’s most popular third-party node packet manager (NPM) downloads.
Alert to #Roblox developers: The Socket research team took a deep dive into a malicious npm package we flagged, which is masquerading as Noblox.js. It targets Roblox users for data theft. Read our full analysis on the blog: https://t.co/IDn60Nwv3r
— Socket (@SocketSecurity) February 6, 2024
How has this unsafe NPM tricked Roblox users?
NPN is the world’s largest software registry and the popular route for developers to share and install software relating to Java Script Object Notation (JSON), a lightweight format for storing and transporting data.
As reported by the Socket, the malicious NPM package is named noblox.js-proxy-server. Similar in name to the legitimate open-source Noblox.js.
According to the Socket Research Team, three techniques were used to make the malware seem legitimate: brandjacking, typosquatting, and starjacking.
Although these terms may seem overcomplicated, they are terminology used to identify how a malicious digital entity can present itself competently.
Brandjacking — A super simple term that impersonates a brand to gain legitimacy, hoping those not casting a keen eye will be duped.
Typosquatting — This is the space in between where a malicious entity benefits from that half-attempted search or typo, bringing the user into a place that looks legitimate enough but is, in fact a trap for unsuspecting users.
Starjacking — A slightly more elaborate way of linking an existing brand or models reviews and star-ratings without having anything to do with the product. Think about someone stealing all your positive eBay reviews or as a clone of a well-rated Instagram account.
The Socket Team uncovered that the evil NPM is designed to retrieve data, such as the Roblox username, and repeatedly scans files with specific extensions and adds them to a zip archive.
This zip file is then uploaded to a server on a specified URL. It sends a webhook to a Discord server with information on the uploaded file, prompting the same process to be repeated every 4,000 milliseconds.
Thanks to the Socket Team, awareness has been brought about this vindictive digital threat to the 70.2 million daily users and 216 million monthly active gamers on Roblox.
In related Roblox news, the game announced a development on the artificial intelligence (AI) front with a real-time text translation tool for users.
Image: photo by Sora Shimazaki; Pexels
The post Malicious NPM package disguises itself to steal Roblox data appeared first on ReadWrite.
(17)