Malicious NPM Packages Mimicking ‘noblox.js’ Target Roblox Developers’ Systems

Published on September 2, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Dozens of malicious NPM packages designed to steal sensitive data and compromise systems have been detected mimicking the widely-used “noblox.js” library, particularly targeting the Roblox platform. This campaign, which began in August 2023, continues to pose a threat, with the latest malicious packages surfacing as recently as August 2024.

The Roblox platform has a massive user base of over 70 million daily active users. New malicious packages continue to appear despite multiple package takedowns, with some still active on the NPM registry.

The perpetrators of this campaign have employed advanced tactics like brandjacking, combo squatting, and carjacking, which enhance the perceived legitimacy of their malicious packages.

These tactics fall under the broader category of typosquatting. By creating package names like "noblox.js-async," "noblox.js-thread," and "noblox.js-api," attackers exploit developers' familiarity with multiple versions or extensions of libraries, tricking them into installing these malicious entities.

Fake Noblox.js Package
Fake Noblox.js Package | Source: Checkmarx

Starjacking involves linking malicious packages to the GitHub repository URL of the legitimate “noblox.js” package. This technique falsely inflates the popularity and trustworthiness of the malicious packages, misleading developers into believing they are genuine.

The malware can compromise Discord accounts via stealing tokens, collect sensitive system data, manipulate the Windows registry to execute malware whenever the Windows Settings app is opened, and deploying additional payloads such as the Quasar RAT.

Although these malicious packages have been removed from NPM, the compromised GitHub repository containing executable files remains active. 

Quasar RAT is an open-source RAT widely used by malicious actors, mainly in phishing campaigns. It offers a rich set of capabilities and is freely available on public repositories. 



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: