Malicious actors have uploaded two new typosquatted libraries to the official NPM repository, posing as authentic Roblox packages, intending to steal passwords, install remote access trojans, and infect affected devices with ransomware.
The poisoned libraries, dubbed “noblox.js-proxy” and “noblox.js-proxies,” were discovered to imitate a library named “noblox.js,” a Roblox game API wrapper accessible on NPM with almost 20,000 weekly downloads, with each of the poisoned libraries being downloaded 281 and 106 times, respectively.
According to Juan Aguirre of Sonatype, the creator of noblox.js-proxy originally released a benign version that was subsequently altered with the obfuscated text. It was initially a Batch (.bat) script, in the post-installation JavaScript file.
This Batch script then downloads malicious executables from Discord’s Content Delivery Network (CDN) that disable anti-malware engines, achieve host persistence, steal browser passwords, and even deploy binaries with ransomware abilities.
Threat actors are increasingly leveraging Discord CDN, a network with over 150 million users, to deploy 27 different malware families, ranging from backdoors and password stealers to spyware and trojans, according to new data from Check Point Research and Microsoft-owned RiskIQ.
Although both malicious NPM modules have now been removed and are no longer available, the findings show how central code repositories like NPM, PyPI, and RubyGems have become a profitable frontier for carrying out a range of attacks.
The revelation also coincides with a recent supply-chain attack on “UAParser.js” in which the developer’s account was hacked to corrupt the package with cryptocurrency mining and credential-stealing malware, just days after three other copycat crypto-mining packages were ousted from the registry.