Over a dozen malicious packages have been discovered on the npm package repository since early August 2023, with the potential to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers.
The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js, an API wrapper that’s used to create scripts that interact with the Roblox gaming platform.
The software supply chain security company described the October 2021 activity as “a repeat of an attack it uncovered two years ago.”
“The malicious packages [..] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions,” software threat researcher Lucija Valentić said in Tuesday’s analysis.
The packages were cumulatively downloaded 963 times before being removed. The names of rogue packages are as follows –
- noblox.js-vps (versions 4.14.0 to 4.23.0)
- noblox.js-ssh (versions 4.2.3 to 4.2.5)
- noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)
While the broad contours of the latest attack wave are very similar to previous ones, it also exhibits some unique features of its own, most notably in the deployment of an executable that distributes Luna Grabber.
ReversingLabs said this development is one of the rare examples of a multi-stage transition sequence featured on NPM.
Valentić explained, “With malicious campaigns targeting the software supply chain, the distinction between sophisticated and unsophisticated attacks is often reduced to the level of malicious actors attempting to disguise their attack and make their malicious packages appear legitimate.
Modules, in particular, cleverly hide their malicious functionality in a separate file called postinstall.js that is invoked after installation.
This is because the actual noblox.js package uses a file by the same name to display a thank you message to its users, along with a link to its documentation and GitHub repository.
The bogus variants, on the other hand, use a JavaScript file to check whether the package is installed on the Windows machine, and if so, download and execute a second-stage payload hosted on the Discord CDN, or alternatively From, show an error message.
ReversingLabs said the second phase continued to evolve with each iteration, adding progressively more functionality and obfuscation mechanisms to thwart the analysis. The primary responsibility of the script is to download Luna Token Grabber, a Python tool that can steal credentials from web browsers as well as Discord tokens.
However, it appears that the threat actor behind the npm campaign has chosen to obtain system information from victims only using a configurable builder provided by the author of Luna Token Grabber.
This isn’t the first time the Luna Token Grabber has been spotted in the wild. Earlier this June, Trelix revealed details of a new Go-based information stealer called Skuld that overlaps with the malware strain.
“This once again highlights a trend of malicious actors using typosquatting as a technique to fool developers into downloading malicious code under the guise of legitimate packages with similar names,” Valentić said.