Malicious Packages Targeting Roblox API Users

Hello Developers,

We have identified more than a dozen malicious packages targeting Roblox API users on the Github npm repository. These malicious packages reproduce code from the legitimate noblox.js package but add malicious code.

The malicious packages imitated the legitimate package noblox.js, a Node.js Roblox API wrapper used to write scripts that interact with the Roblox platform.

This was identified on August 22, 2023 but it is believed to have begun early August. You can find more information here: Link

Here are the packages we have identified as malicious. We recommend you all take a look at the packages you have installed. If you are affected, clean your system with a trusted anti-virus.

package_name version SHA1
noblox.js-vps 4.14.0 6c5c33d7dc70e18287dff364dea6f75395f13d5e
noblox.js-vps 4.15.0 f7fd66cca3d60db664f4495ac4247850820487d5
noblox.js-vps 4.16.0 ff0f7108b310818a05e5a2ddb929758c80f325b3
noblox.js-vps 4.17.0 8e7208dca6c3be903fd9711522ac5e4c6292aae9
noblox.js-vps 4.18.0 f398b213ba8b53645a9e018b3c626f5af93e39ce
noblox.js-vps 4.19.0 13ddeea9d9ca03dffc3dbb28ecf57c1aa408b06e
noblox.js-vps 4.20.0 a7521ed8c64a8ad0c7923b33a793493f3ef54ec8
noblox.js-vps 4.21.0 c505d9f99ef4628e345d18681126959352cfd612
noblox.js-vps 4.22.0 421f5f6522afe0329847d0cd1cf0163f6c8c5430
noblox.js-vps 4.23.0 21d368c68b40fc0a9f5403cc1d9160cd2326d8ee
noblox.js-ssh 4.2.3 4f83a57e3e74698cdb5a7c15e17d396f68d3ac29
noblox.js-ssh 4.2.4 0c3fec3308d3f475b6343df7369835f120712a07
noblox.js-ssh 4.2.5 1ffc56b5b0bc1c5c845c78b7230d00877d5c57e4
noblox.js-secure 4.1.0 06209e3806220cf453fbfa5f27d04c2c4c402007
noblox.js-secure 4.2.0 35086a14a572a19884fb9b912fda619c6f01699c
noblox.js-secure 4.2.1 3a5e75a3d62c5e213798589d90fb696d791f6095
noblox.js-secure 4.2.2 f0d31b98e261b99bf12de9b800f8a931d672fa03
noblox.js-secure 4.2.3 fcd4ab5b8ddc002c71f1c9f8c5038a9a331a8716

This topic was automatically opened after 10 minutes.

Oh wow, at least I didn’t install an API. This could have done some serious damage to my computer.


Considering noblox is a community-created OSS package with little to no Roblox involvement, it pleases my heart that Roblox is looking out for the OSS community and took the time to post an announcement about this issue given how some users wish to create third-party applications to interface with Roblox.

It’s so important to have Open Cloud so we can write third-party applications with reduced security vulnerabilities like this. We would be working with OAuth2 and other API validations rather than raw tokens, unsupported hacks/workarounds or inappropriately elevated access.

Huge cheers for this. It’s a big sign of Roblox’s acknowledgement and appreciation of the OSS community out in the open instead of behind closed curtains.


I did not expect this. Thanks for keeping the comminity safe.


Looks like the malware installation/execution happens in the postinstall script, so if you installed these packages and have postinstall scripts disabled for npm then you might be okay, though still run an antimalware check.
IIRC distribution of malware has been possible with postinstall scripts for a while, it’s just not as common for bad actors to use as other methods.

Thanks for keeping a lookout for open-source users.


Well, I’m glad that I have nothing to worry about! I am still learning about Development, so I haven’t tried using External API’s. Haven’t needed to.


Can somebody tell me the real package? I just realized i have three different ones :sweat_smile:


Surprised that the ONLY project that is targeted is noblox.js…


The primary package is noblox.js, through GitHub - noblox/noblox.js: A Node.js API wrapper for Roblox.

We also are name squatting noblox to point to the main package and have noblox.js-server that is a templated version with an integrated Koa webserver for basic actions to quickly integrate with Roblox place.

This exact issue popped up in mid-late 2021 (1) (2) and made minor news headlines. We made webscrapers to detect and report them until the spoofs fell off. Seems like we need to start them back up again.

Be mindful this is all the action of bad actors and is not at all affiliated with the main repository.

While we are at it, can Roblox start enrolling in the GitHub secrets program to automatically invalidate leaked OpenCloud keys and ROBLOSECURITY cookies… thanks. :wink:


Thank you! I’m very glad that Roblox started to identify malicious packages as well.
Make sure to always check the source that you’re downloading packages and plugins from. If you want, you can also check the source code of the packages before running to make sure they don’t contain any malicious code.


Thanks for the notice; it’s very well appreciated.

It’s good to see that you’re involved in this community and on the lookout for malicious stuff. From what it looks like, these typosquatting packages only had a couple hundred total installs, which postinstalled Luna-generated malware. You can see the VT. here.

If you installed one of these fake noblox packages, based on the configuration, it only took systeminfo. This includes things like operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards).

As always, double-check everything you install. Just because these noblox packages were found doesn’t mean there aren’t other malware-infected fake packages. Stay safe!


Only is very light.

That contains your email, product key, login server (more dangerous if you have a managed pc, like school or workj), local IP, and antivirus status.


I did not expect Roblox to go ahead and warn the developer community, that’s honestly appreciated! (even tho it’s written in such a way that those who never heard about node.js/npm are easily confused lol)

Also nice acknowledgement for the OSS community! Having Roblox officially writing something about noblox.js wasn’t something I saw coming.


thanks for notifying, i honestly never knew about this happening


Great to see Roblox notifying Developers about these malicious packages, will keep this in mind!


It’s interesting how noblox is considered to be legitimate, I genuinely thought someone made a module for the API and had no actual affiliation with Roblox. Is the package noblox.js-server a legitimate package or illegitimate? I keep seeing it each time I search for Roblox modules.

I am a bit confused if noblox is community made or Roblox maintained.


I’m fairly sure noblox is community-made, which surprises me that Roblox alerted people about it.


noblox is created by the community, but a LOT of people use it to interact with the Roblox API in Javascript. Hence why it is such a big priority to notify users who use it.


It is, you can find it via the noblox.js (