Evolving npm Package Campaign Targets Roblox Devs, for Years

Attackers have added aggressive social engineering to their arsenal, along with a novel Windows-manipulating persistence mechanism that demands developer vigilance.

Attackers for at least a year have been using malicious
Node Package Manager (npm) packages
that mimic the popular noblox.js library to target Roblox game developers with malware that steals Discord tokens and system data, and even deploys additional payloads.
The campaign, outlined by researchers at Checkmarx and active since at least August 2023, leverages a variety of tactics, including brandjacking, combosquatting, and starjacking, in an effort to make the packages appear legitimate. Once it gets its foothold on a targeted system, the malware collects various types of sensitive data thats sent in a package to the attackers command-and-control server (C2) using a Discord webhook.
Roblox
, a popular gaming and gaming-creation platform, has a user base of more than 70 million daily active users, and thus is an attractive target for threat actors. Researchers from
ReversingLabs

previously disclosed
the npm package campaign targeting Roblox and delivering the Luna Grabber malware, and other firms have written about it as well.
The Checkmarx analysis sheds new light on how its evolving with the use of various social engineering tactics to increase deception, as well as novel malicious activities, including the addition of the
QuasarRAT
to its list of secondary payloads, Yehuda Gelb, security researcher at Checkmarx,
wrote in a post
on the Medium platform. It delivers the secondary malware from an active GitHub repository owned by the user aspdasdksa2, which is potentially in use for distributing malware through other packages, he wrote.
Other malware delivered by the campaign has added a novel persistence mechanism that manipulates the Windows registry. This ensures execution every time a user opens the Windows Settings app, and is central to the malwares effectiveness, Gelb noted.
Whats more, attackers appear to be highly attentive to any mitigation of their malicious activities — something that is clearly evident given the duration of the campaign and the consistent flow of novel malicious packages. Despite multiple package takedowns, new malicious packages continue to appear on the npm registry at the time of publication, Gelb wrote.
The campaign features elaborate
social engineering
that demonstrates that the attackers know their audience and aim to make the packages look as authentic and useful as possible to Roblox developers.
One typosquatting technique combines subsets of this tactic — brandjacking and combosquatting — to create the illusion that their packages are either extensions of or closely related to the legitimate noblox.js library in the naming of the packages, Gelb wrote. These include file names such as noblox.js-async, noblox.js-thread, and noblox.js-api.
Attackers also use starjacking, a tactic that threat actors use to inflate package stats so developers think packages are being downloaded more than they are and are thus trustworthy. In this case, the attackers linked malicious packages to the GitHub repository URL of the genuine noblox.js package, Gelb said.
Further tactics employed in the campaign attempt to disguise the malware within the package itself by mimicking the structure of the legitimate noblox.js file, but then introduces malicious code in the postinstall.js file. They heavily obfuscated this code, even including nonsensical Chinese characters to deter easy analysis, Gelb noted.
As the campaign evolves, attackers continue to up the ante to make it harder for defenders to detect and mitigate the malware it delivers. One such novel tactic aggressively undermines the systems security measures by targeting various services such as Malwarebytes and Windows Defender, Gelb wrote. It first targets the former and attempts to stop it if its running, followed by a more
comprehensive attack on Windows Defender
, he wrote.
The script identifies all disk drives and adds them to Windows Defenders exclusion list, he explained. This action effectively blinds Windows Defender to any file on the system.
Overall, its disabling of third-party antivirus and the manipulation of built-in Windows security creates an environment where the malware can operate freely, significantly increasing its potential for damage and persistence, Gelb noted.
Targeting developers through the open-source code assets that they rely on to develop software (or in this case, games) is an
evolving strategy
used by threat actors to broaden their attack surface. By poisoning code during the development process, they can spread malware to numerous users through the software supply chain without having to target specific systems individually.
Indeed, the ongoing attack on Roblox developers through persistently compromised NPM packages serves as a stark reminder of the persistent threats facing the developer community and demands that they use extreme caution when working with
open source code packages
, Gelb observed.
The campaign and others like it once again stresses the critical importance of thoroughly vetting packages before incorporation into projects, he said. Developers must remain vigilant, verifying the authenticity of packages, especially those resembling popular libraries, to protect themselves and their users from such sophisticated supply chain attack.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Evolving npm Package Campaign Targets Roblox Devs, for Years