Researchers have spotted a host of malicious, multistage packages on the npm public repository that implant an open source, information-stealing malware known as Luna Grabber.
In order to infect its victims, the packages imitate a legitimate package, such as noblox.js — “a Node.js Roblox API wrapper used to write scripts that interact with the Roblox gaming platform,”. The malicious packages reproduce code from the legitimate package but add information-stealing functions to the mix.
The script developers ultimately run on the Roblox platform and thus unwittingly fall prey to Luna Grabber, which is an open-source malware designed to steal information from the user’s local web browser, Discord application, and more.
These campaigns came into the limelight while monitoring the npm public repository and noblox.js-vps, which were the first malicious package they happened upon.
The package displayed suspicious behaviors, such as executing commands in the command line, containing URLs that linked to Discord attachments, enumerating files in a given directory, and enumerating user information, among other actions.
Researchers have also identified other malicious packages that are similar, such as noblox.js-ssh and noblox.js-secure.
Even though the impact of noblox.js-vps and other malicious packages in this campaign wasn’t high, it is a reminder to security and software development teams that threats lurk consistently in open-source repositories, making choosing which package to include in the development process critical.
This research was documented by researchers from ReversingLabs.