I haven’t seen anything on here yet about this certain issue, and I wanted to let as many people know I can about this new very, very clever method exploiters are using to trick developers into installing malicious plugins. I just had a run-in with this method a few hours ago as backdoors kept appearing in my game on studio launch. I did some digging, and it was due to a malicious plugin “Weld Plugin” created by @ Ozzypig (Supposedly!).
While I was checking out the plugins page in the catalog, I clicked on the creators name, @ Ozzypig, and it brought me to a group literally named “@ Ozzypig”.
Exploiters create groups and literally name them the handle of “trusted” individuals (e.g. “@ clonetrooper1019”), and upload malicious plugins under that group. There is literally no way to tell if the creator tag is a players actual @ handle or a groups name. Be careful out there!
tl;dr people can create groups that have the name of peoples @ handles (e.g. a group named “@ Ozzypig”) and publish malicious plugins under that group as to have the creator tag on the plugins site in catalog say it was created by that certain person, when in fact its just the groups name.
That was another interesting thing I noticed; the plugin says it was created only a few weeks ago, yet I’ve had this “weld plugin” for months now… Not sure how that happened…
Honestly I think this is something that is very easy to overlook, as even I was honestly surprised when I saw it was a group and kind of impressed at how clever it was lol
I-? Roblox REALLY needs to block “@” as a character as soon as they can.
In the past I liked that displaynames for being easy to identify fake plugins with because of the “@”, but I didn’t think or remember that groups allowed that. They shouldn’t anyway.
I don’t think I have used any fake ones, but I will scan for them, and I highly recommend you do so as well.
