Several malicious packages have been identified on the npm package repository since the beginning of August 2023. These packages are capable of deploying an open-source information stealer named Luna Token Grabber on systems associated with Roblox developers.

This recent campaign was initially spotted on August 1 by the team at ReversingLabs. These modules pretend to be the authentic package called noblox.js, an API wrapper for scripting interactions with the Roblox gaming platform.

Industry experts from the software supply chain security firm recognized this activity, drawing parallels to an attack that surfaced in October 2021.

These deceitful packages mimic the legitimate noblox.js package, but with added malicious, data-stealing functions. It was noted that these packages had been downloaded 963 times before their removal. Among the rogue packages include:

• noblox.js-vps (versions 4.14.0 to 4.23.0)
• noblox.js-ssh (versions 4.2.3 to 4.2.5)
• noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

Though the general pattern of this recent attack wave mirrors its predecessor, it displays distinctive features, especially concerning the deployment of an executable that carries Luna Grabber.

This situation represents one of the uncommon cases where a multi-stage infection process was observed on npm, as commented by ReversingLabs.

When discussing malicious campaigns targeting the software supply chain, the distinction between intricate and simple attacks often revolves around how much effort culprits invest to camouflage their assault, making malicious packages appear genuine.

The modules ingeniously hide their malicious intent within a separate file, postinstall.js, which activates post-installation. Interestingly, the original noblox.js package uses an identically named file to present gratitude to its community, along with links to resources and repositories.

In contrast, these counterfeit versions employ this JavaScript file to determine if the package resides on a Windows system. If affirmative, they fetch and launch a secondary payload from Discord CDN or display an error alternatively.

ReversingLabs observed that this secondary stage underwent continuous enhancements, consistently integrating advanced features and obfuscation techniques to counteract analysis. Its main task is to fetch Luna Token Grabber, a Python utility capable of extracting credentials from web browsers and Discord tokens.

Still, the individual orchestrating this npm campaign seemingly chose solely to gather system data from targets using a versatile builder provided by the creators of Luna Token Grabber.

Previously in June, Trellix revealed information about a new Go-based information stealer, Skuld, that shares traits with this malware. This occurrence underscores the ongoing strategy where culprits resort to typosquatting, tricking developers into downloading harmful code by mimicking legitimate package names.