In a striking parallel to a 2021 attack, a group of researchers has uncovered a resurgence of malicious packages on the npm repository, targeting developers using the Roblox API.
These malicious packages deploy the notorious Luna Grabber, an open-source information-stealing malware, adding yet another layer of sophistication to a campaign that raises red flags for software supply chain security.
The Phantom Attack:
Since the inception of August, ReversingLabs researchers have spotted over a dozen malevolent packages on the npm public repository.
A notable similarity to the 2021 campaign emerges as these packages mimic the reputable ‘noblox.js,’ a Node.js Roblox API wrapper used by developers to script interactions with the Roblox gaming platform.
The objective is to deceive developers into downloading and executing compromised packages housing Luna Grabber, a formidable information-stealing malware.
The focal point of this campaign revolves around developers creating scripts for the Roblox gaming platform.
The genuine ‘noblox.js’ package aids in crafting JavaScript scripts that enhance interactions with Roblox, enabling activities such as user promotion and managing communities.
The counterfeit packages discovered by ReversingLabs replicate code from the legitimate ‘noblox.js’ but embed malicious information-stealing functions.
Malware npm Packages
Recalling a past instance, this attack tactic isn’t entirely new. In 2021, Sonatype revealed an analogous campaign where malicious npm packages posed as ‘noblox.js’ by capitalizing on typosquatting.
Like their contemporary counterparts, these malevolent packages replicated legitimate code and carried a malicious post-installation script.
The outcome was the deployment of ransomware, putting unsuspecting developers at risk.
The Complex Dance:
Though the recent campaign echoes the 2021 model, it amplifies its complexity.
Malicious packages, such as ‘noblox.js-vps,’ ingeniously imitate the original ‘noblox.js,’ even fashioning legitimate npm pages to lend credibility.
The bait, however, is in the post-installation stage—once installed, a separate file, ‘postinstall.js,’ harbors the malicious payload.
The distinct evolution of the ‘noblox.js-vps‘ package becomes apparent upon close examination.
Early versions contained rudimentary scripts, while subsequent iterations displayed more sophisticated behavior.
The climax is reached with a malicious PyInstaller-compiled executable that harnesses Luna Grabber’s power.
This malware scavenges information from local web browsers, Discord applications, and system configurations.
Luna Grabber’s Playbook:
Luna Grabber emerges as the malicious actor’s weapon of choice, offering a plug-and-play malware experience.
“Luna Grabber is very customizable and has detailed instructions on its GitHub page on how to compile a malicious executable”
ReversingLabs’ investigation reveals that each iteration of the second-stage script downloads the same third-stage executable payload.
This PyInstaller-compiled executable, once dissected, is a manifestation of Luna Grabber, tailored to pilfer sensitive data with a customized twist.
Implications and Beyond:
While the impact of this specific campaign was limited, it underscores the vulnerability inherent in open-source repositories.
This had an impact of 963 downloads of three different malicious packages, which is considered as limited, says reversing labs.
The recurrence of malicious packages under the pretense of trusted counterparts exposes developers to risks they might overlook.
It prompts organizations to exercise extreme caution while selecting packages for their projects, emphasizing the importance of robust supply chain security practices.