Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Roblox devs under attack by new malicious npm campaign

Roblox password.

Cybercriminals were, once again, spotted impersonating legitimate businesses, as they try to steal valuables from software developers. This time around, researchers from Checkmarx saw fake Roblox npm packages, whose true purpose is to deploy a remote access trojan (RAT) called Quasar.

Roblox is an online platform where users can create and play games made by other users, using a game creation system called Roblox Studio. It features a virtual currency called Robux for in-game purchases and has over 214 million monthly active users.

In this campaign, crooks were using typosquatting (giving malware a name similar to a legitimate file that developers could download and run by mistake), and deployed multiple packages to the npm repository, in hopes that someone will pick it up.

Quasar Remote Access Trojan

It’s an old strategy that worked well in the past, and seems to have worked well in this instance, too. According to the researchers, the four malicious packages that were identified, have had almost 200 downloads, combined, before being spotted and removed.

The noblox.js-async package had 74 downloads, noblox.js-thread 117 downloads, noblox.js-threads 64 downloads, and noblox.js-api 64 downloads.

“By mimicking the popular 'noblox.js' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems," Checkmarx researchers said in a report.

"The attackers of this campaign have employed techniques including brandjacking, combosquatting, and starjacking to create a convincing illusion of legitimacy for their malicious packages."

To further improve the perceived legitimacy of these packages, the crooks also listed the source repository as noblox.js.

Developers that don’t spot the ruse and download these packs will receive the Quasar Remote Access Trojan, which is hosted on a GitHub repository. At the same time, they will lose their Discord tokens, and have their Microsoft Defender Antivirus updated to not spot the malware.

"Central to the malware's effectiveness is its approach to persistence, leveraging the Windows Settings app to ensure sustained access," the researchers added. "As a result, whenever a user attempts to open the Windows Settings app, the system inadvertently executes the malware instead."

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.