Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of distributing stealing credentials, installing remote access trojans, and infecting the compromised systems with ransomware.
The bogus packages — named “noblox.js-proxy” and “noblox.js-proxies” — were found to impersonate a library called “noblox.js,” a Roblox game API wrapper available on NPM and boasts of nearly 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively.
This Batch script, in turn, downloads malicious executables from Discord’s Content Delivery Network (CDN) that are responsible for disabling anti-malware engines, achieving persistence on the host, siphoning browser credentials, and even deploying binaries with ransomware capabilities.
Recent research from Check Point Research and Microsoft-owned RiskIQ revealed how threat actors are increasingly abusing Discord CDN, a platform with 150 million users, to persistently deliver 27 unique malware families, ranging from backdoors and password stealers to spyware and trojans.
Although both the malicious NPM libraries have since been taken down and are no longer available, the findings are yet another indication as to how popular code registries like NPM, PyPI, and RubyGems have emerged as a lucrative frontier for carrying out a variety of attacks.