Cybersecurity researchers have once again found (and eradicated) malicious npm packages, this time delivering ransomware and password-stealing Trojans to unsuspecting users. Spoofing Roblox's JavaScript libraries, the two malicious npm packages have been dubbed noblox.js-proxy and noblox.js-proxies, and use typo-squatting to present themselves to anyone looking for the legitimate Roblox API wrapper called noblox. js-proxied, changing a single letter in the library name. "These typosquatting packages mimic noblox.js, a popular Roblox game API wrapper that exists on npm as a standalone package, as well as legitimate variants such as noblox.js-proxied (ending in 'd' not 's') ", shares Sonatype security researcher Juan Aguirre. Noblox.js is an open source JavaScript API for the popular Roblox game. According to Aguirre, the library, which has logged more than 700,000 downloads, is commonly used to create in-game scripts that interact with the Roblox website.
A sinister farce?
Analysis of the malicious libraries revealed that their authors had filled them with malware, the MBRLocker ransomware posing as the notorious GoldenEye ransomware, a password-stealing Trojan, as well as a creepy video. Aguirre notes that the two typosquatting libraries were unable to do any real damage as they were caught shortly after their download, although they still managed to log 281 and 106 downloads respectively. "...but it's clear at what kind of scale threat actors were hoping to tackle such a popular component," Aguirre says. Interestingly, this attempt to deliver ransomware comes just days after Sonatype researchers uncovered a daring attempt by malicious actors to hijack the developer account of the widely used UAParser.js library to replace legitimate code with code. Malware infused with malware and Trojans. While Sonatype believes that the roblox fake libraries were likely planted as a joke, the incident is yet another indication that opponents won't stop abusing popular open source repositories any time soon.