This topic is about backdoors I’ve been finding in some toolbox models, especially ones related to cafes.
I was making a cafe game over the past few days, so I grabbed a couple of free models for inspiration. That’s when I noticed a script called “EffectBuilder” inside one of them. At first glance it looked harmless, but when I opened it up I saw it was obfuscated and contained a require(assetId) line. That script was actually pulling in a ModuleScript backdoor, which then tried to load even more modules.
When I tested a few other toolbox café models, I found the exact same script hiding inside them too. It looks like the same backdoor is being copied and spammed across multiple assets to trick developers.
For anyone not familiar, the danger with these kinds of scripts is that the require() is loading code from an external asset the creator controls. That means they could change the script at any time to run anything they want in your game — from inserting admin commands, to messing with data, or even giving exploiters a way in.
Tips for staying safe:
Always open and read through scripts in free models before using them.
Be suspicious of obfuscated or unreadable code, especially if it tries to require() an asset.
Do a quick search in your Explorer window for "require(" to spot hidden backdoors.
If you find one, delete it immediately and check if there are other suspicious scripts in the model.
If you want to know what the code does, you can check out this topic by @roalex2008.
I didn’t report the assets I came across because there are so many, but I wanted to share this here to warn other devs since it seems to be spread out. If you’ve been adding café-related models recently, it might be worth giving your game a quick scan.
Yep, I know this script all too well. If you know the asset ID please send it to @riddlemasta in DMs. If you know the actual asset in the Toolbox, report it via the report abuse/asset button there. Maybe a more proper channel can be made, but I can make a forum feature request for that.
Note that Roblox staff have short and long term plans for improving toolbox security.
For anyone in the future, the best thing to do to prevent this is to always play your game right after you add anything with scripts from the toolbox.
If you have issues and don’t know what asset is the problem in your game, save a copy of your game to a file, open it, and delete various things till the issue no longer occurs. You may have leads with what have scripts in them, (the OP has good notes on this) but some assets may work together and have a dependency.
I have tracked down the account that owns the asset id that the script requires, I just don’t know if I can share it on the devforum. It would be nice to see the account or the asset banned.
Reminds me that I have to open source the asset scanner that I built, it’s really makeshift, but will probably do for interesting work regardless, but it has false positives due to how broad I made it
most backdoors just add a makeshift LBI and try to be cool with it, that and randomly prompt purchases from users
