We have identified more than a dozen malicious packages targeting Roblox API users on the Github npm repository. These malicious packages reproduce code from the legitimate noblox.js package but add malicious code.
The malicious packages imitated the legitimate package noblox.js, a Node.js Roblox API wrapper used to write scripts that interact with the Roblox platform.
This was identified on August 22, 2023 but it is believed to have begun early August. You can find more information here: Link
Here are the packages we have identified as malicious. We recommend you all take a look at the packages you have installed. If you are affected, clean your system with a trusted anti-virus.
Considering noblox is a community-created OSS package with little to no Roblox involvement, it pleases my heart that Roblox is looking out for the OSS community and took the time to post an announcement about this issue given how some users wish to create third-party applications to interface with Roblox.
It’s so important to have Open Cloud so we can write third-party applications with reduced security vulnerabilities like this. We would be working with OAuth2 and other API validations rather than raw tokens, unsupported hacks/workarounds or inappropriately elevated access.
Huge cheers for this. It’s a big sign of Roblox’s acknowledgement and appreciation of the OSS community out in the open instead of behind closed curtains.
Looks like the malware installation/execution happens in the postinstall script, so if you installed these packages and have postinstall scripts disabled for npm then you might be okay, though still run an antimalware check.
IIRC distribution of malware has been possible with postinstall scripts for a while, it’s just not as common for bad actors to use as other methods.
Thanks for keeping a lookout for open-source users.
Well, I’m glad that I have nothing to worry about! I am still learning about Development, so I haven’t tried using External API’s. Haven’t needed to.
We also are name squatting noblox to point to the main package and have noblox.js-server that is a templated version with an integrated Koa webserver for basic actions to quickly integrate with Roblox place.
This exact issue popped up in mid-late 2021 (1)(2) and made minor news headlines. We made webscrapers to detect and report them until the spoofs fell off. Seems like we need to start them back up again.
Be mindful this is all the action of bad actors and is not at all affiliated with the main repository.
While we are at it, can Roblox start enrolling in the GitHub secrets program to automatically invalidate leaked OpenCloud keys and ROBLOSECURITY cookies… thanks.
Thank you! I’m very glad that Roblox started to identify malicious packages as well.
Make sure to always check the source that you’re downloading packages and plugins from. If you want, you can also check the source code of the packages before running to make sure they don’t contain any malicious code.
Thanks for the notice; it’s very well appreciated.
It’s good to see that you’re involved in this community and on the lookout for malicious stuff. From what it looks like, these typosquatting packages only had a couple hundred total installs, which postinstalled Luna-generated malware. You can see the VT. here.
If you installed one of these fake noblox packages, based on the configuration, it only took systeminfo. This includes things like operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards).
As always, double-check everything you install. Just because these noblox packages were found doesn’t mean there aren’t other malware-infected fake packages. Stay safe!
I did not expect Roblox to go ahead and warn the developer community, that’s honestly appreciated! (even tho it’s written in such a way that those who never heard about node.js/npm are easily confused lol)
Also nice acknowledgement for the OSS community! Having Roblox officially writing something about noblox.js wasn’t something I saw coming.
It’s interesting how noblox is considered to be legitimate, I genuinely thought someone made a module for the API and had no actual affiliation with Roblox. Is the package noblox.js-server a legitimate package or illegitimate? I keep seeing it each time I search for Roblox modules.
I am a bit confused if noblox is community made or Roblox maintained.
noblox is created by the community, but a LOT of people use it to interact with the Roblox API in Javascript. Hence why it is such a big priority to notify users who use it.
