[SOLVED] Need help finding a malicious script in my game

Okay so, recently there’s been a shirt that automatically prompts a purchase everytime a player joins the game. In the developer console I found that the shirt was the following: api.roblox.com/marketplace/productinfo?assetId=35750950779 but I’ve tried searching the product ID and the asset ID in Ctrl+Shift+F, I found nothing.

There has also been these scripts with random numbers and Chinese characters that show stuff similar to ewfsD = “RunService”, etc.

We have around 5-6 people with access to our team create everyone claims it wasn’t them which means it could be a plugin, however somebody added some clearly free modeled scripts such as “HD Graphics” and “Galaxys Anti Lag” which have since been deleted.

I think it might be a malicous plugin or something.

Please drop your thoughts below I’ll update this with more I find.

UPDATE: somebody on my development team has the “HD Graphics Plugin” created by @nl2p

One of the reasons private modules got removed is due to malicious plugins, they can be a cause. Those anti-lag scripts and anti-exploit scripts aren’t things I’d trust.

If you want to stop it happening, then you’ll each have to check your plugins, some good plugins were like-botted and people downloaded those instead of the original so you’ll have to be careful.

I guess the lesson here is never use free models. But I hope you find your issue.

Search for these:
“require”
“loadstring”
“MarketplaceService”
“PromptPurchase”
“reverse”
“byte”
“sub”
“..”
“tonumber”
“getfenv”
“setfenv”
“= game\n”
“game[”

Code might be hidden by padding it to the right so that it won’t appear on your monitor unless you realize you have to scroll.

It’s possible they are getting to the purchase function in a way that’s really hard to search for, such as indexing methods as concatenated strings.

If the asset ID isn’t able to be found it’s probably obfuscated as a string or something and then converted.

You could possibly use the microprofiler tool to see what functions are getting called when there is a purchase made.

I don’t use free models, but a lot of people with access of the game like to.

Try using CTRL+Shift+F and searching for \114\101\113\117\105\114\101.

If nothing is found, then either you or one of your developers is using an infected plugin.

I suggest using the follow plugin to perform a search:
https://www.roblox.com/library/2670956620/Hidden-Infection-Script-Detector

That plugin was messing with another persons stuff yesterday. I’d suggest be more careful with who you let on the development team. I wouldn;t consider people who use a lot of free models or non-official plugins to be too reliable and more or less a reliability. This thread is a good place to start to acquire the proper “real” plugins: Known Malicious Plugins for HISR detection Megathread

We helped another person with a similar issue yesterday, try looking through this topic:

To briefly sum it up, you’ll want all of your team members to remove plugins created by nl2p. Then enable the setting that is detailed here, and attempt to search through all of the various services until you find the culprit. Again, the topic above should help guide you through it.

looks like I’ve caught the intruder

If i were you i would close the teamcreate and just have them develop what you need. Then have them send you certain things they create for you until you feel like you can trust them all inside one teamcreate. Remove all your plugins and scan every instance in your game, especially the instances that are hidden with the default studio settings.

Yeah it was a malicious plugin. -_- so annoying, i don’t know why people do that to other people.