OMG This rabbit hole goes deep!
I sorted through them, I’ve found over 50 so far and all of their linking accounts.
Some of the accounts are banned, some are not, all look very suspicious.
Sadly, some of these link back to very old accounts too.
I’ve done so much work chasing down these accounts and where they go.
I really hope there’s a way to get someone at Roblox to help do something about this.
After finding this in my game which highly ticked me off, I decided to do some looking into it.
That plugin:
https://www.roblox.com/library/5722705373/Light-Editor-Updated
Comes from this group:
https://www.roblox.com/groups/7840914/Creator-Studi#!/about
By gregg3 who has apparently been deleted, but did not necessarily use that account to upload the real plugin
(I actually doubt they did).
It loads this plugin:
https://www.roblox.com/library/5722703997/MeshLoader
Which is uploaded by this alt
https://www.roblox.com/users/1888346787/profile/
Which loads this plugin:
https://www.roblox.com/library/5700633205/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719844019/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633462/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633735/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633977/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634215/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633230/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719845707/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633488/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633762/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634001/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634242/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633265/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719847055/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633515/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633787/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634024/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634267/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633289/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719848182/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633544/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633811/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634047/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634293/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633311/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719849465/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633582/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633839/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634077/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634318/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633330/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719850548/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633608/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633865/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634102/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634338/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633362/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719851574/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633362/Asset
… So this keeps going but I’m tired and need some sleep. Any help locating the source of this, and all the linked accounts so they can be turned in, would be greatly appreciated!
Okay, I finished my search.
If you ask me, ALL of these plugins need to be removed and all of these accounts should be banned.
As well as I think this thief needs to be IP/HWID banned.
So continuing my first list…
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin:
Which is uploaded by this alt
https://www.roblox.com/users/1719852440/profile/
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin:
Which is uploaded by this alt
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin:
Which is uploaded by this alt
https://www.roblox.com/users/1719856666/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633711/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633958/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634194/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634436/Asset
Which loads this plugin: (Looks like source!)
Which looks like it is the real source of the backdoor…
It is using a very obfuscated plugin.
Which is uploaded by this alt (More recent activity)
https://www.roblox.com/users/1722897238/profile/
(More recent activity and older alt account)
The dedication you have by doing all this research to discover how all this thing works is impressive. REAL impressive! Thumbs up from me for doing all of this extensive investigation! 
Hey, you guys can use this script I made, I know its not efficient but it does the work (sometimes).
(this code was made in a rush)
for i,v in pairs(game:GetDescendants()) do
pcall(function()
if v:IsA("Script") then
if string.find(v.Source, "RoSync Loader") then
local code = ""
local splitted = string.split(v.Source, "\n")
for lineNum, line in pairs(splitted) do
if not string.find(line, "Last synced") then
code = code.."\n"..line
end
end
v.Source = code
end
end
end)
end
basically, what it does is that:
for those who wishes to correct my code, please go ahead. make it efficient.
Here’s my version of a RoSync remover. To use this save it into the local plugins folder.
local button = plugin:CreateToolbar("oreoollie"):CreateButton("rm rosync", "Removes RoSync virus.", "rbxassetid://4826065214")
button.Click:Connect(function()
game:GetService("ChangeHistoryService"):SetWaypoint("remove RoSync")
button:SetActive(false)
local totalFixed = 0
for _, v in ipairs(game:GetDescendants()) do
local s, e = pcall(game.IsA, v, "BaseScript")
if not (s and e) then continue end
local occurrences
v.Source, occurrences = string.gsub(v.Source, "%s%-%-%[%[ Last synced.+", "")
totalFixed += math.clamp(occurrences, 0, 1)
end
warn("Fixed", totalFixed, "RoSync infected scripts")
end)
RoSyncRemover.lua (642 Bytes)
Heres another rosync remover that you can just run in command barRosyncremover.txt (683 Bytes)
yeah it’s just a virus and it can just be from plugins or models, I had that on my game and I was confused on what it was.
I also get that script with the Intro Creator plugin
it gives you a message saying to turn on http requests so it can teleport you and stuff
I made that, its an older version of the script i posted hahaha
All of these malicious scripts come from scam plugins.
If it keeps inserting “getfenv()” or some other suspicious thing into your game, then it can’t be anything but a plugin doing that. All you have to do is to find that plugin and get rid of it. Then make sure that the suspicious line of code doesn’t get inserted anymore. Finally, use the Find tool in script editor to search through all your scripts for that malicious line of code and make sure there are no such left.
Simply put: stop installing stupid random scam plugins with [NEW] [UPDATED] tags and everything is going to be okay.
The idea that scam plugins have tags like [NEW] and [UPDATED] is pretty far fetched most scam plugins steal a big plugins code and then re upload it, it tricks people into thinking it’s the same plugin. Yeah a few scam plugins have tags like that but you don’t see many with that anymore.
True. Sorry. Although, there’s still a plenty of plugins with mentioned tags. Most of stolen plugins are on the bestselling page of library. Make sure to always look for scams. Those are usually uploaded mutliple times by fake devs, so if you see same plugin multiple times - that’s most likely a scam. Another trait of scam plugins is that they are uploaded by people/groups with similar names all the time; some examples would be: “Plugin Developers”, “Plugin Makers”, “TrustedPlugins”, “[DeveloperX]”, “FrontPlugins”, “Creator Studio”, etc.
So, I think it’s really easy to find a scam plugin. I never really had issues with downloading such. I have no idea why people keep getting “catfished”. Why do they??
I heard of rosync before I want to look up for the company that provides backdoors to be honest
Here are the GitHubs that are the source of the malicous code 
Also someone told me this was an important part of the script http://45.79.27.137:8080/roblox DO NOT CLICK
Why what if I click it? Is it an ip grabber?
This isn’t malicious code. It’s a Lua bytecode interpreter.
I believe it is a webhook for the malicous Discord sever but I am not really sure. I would not click just to be safe 