Researchers at ReversingLabs discovered a supply chain attack targeting Roblox game developers: malicious NPM packages named to impersonate legitimate noblox.js Roblox scripting utilities were delivering Luna Grabber malware capable of stealing browser cookies, Discord tokens, saved credentials, and session data from any developer who installed them.
Stories Covered
Luna Grabber: Malicious NPM Packages Target Roblox Developers in Supply Chain Attack
ReversingLabs researchers identified a cluster of malicious packages on the NPM registry designed to target Roblox game developers. The packages — including names like noblox.js-vps, noblox.js-ssh, and noblox.js-secure — were crafted to impersonate the legitimate noblox.js library, a widely used package that allows developers to build scripts that interact with the Roblox platform API. Developers who installed these packages expecting standard Roblox scripting utilities were instead getting Luna Grabber, a commodity infostealer capable of harvesting browser cookies, Discord bot tokens and OAuth credentials, saved passwords, and other session data stored locally on the machine. The attack was discovered not because the packages announced themselves, but because researchers noticed them performing operations completely inconsistent with their stated purpose — executing command-line instructions, enumerating files, and collecting system user information when they should have been doing nothing more than wrapping Roblox API calls.
This is a supply chain attack in the most straightforward sense: rather than compromising Roblox directly or exploiting a vulnerability in legitimate software, the attackers inserted themselves into the trust relationship between developers and the package ecosystem they rely on. NPM hosts millions of packages and developers regularly pull in dependencies without auditing source code — a million-line open source package is not going to get read line by line regardless of how careful the developer is. The attackers exploited that trust gap by naming packages to resemble legitimate ones and placing them in the same registry. Once a developer installs the package and it runs on their development machine, the grabber has access to everything stored locally: Discord server admin credentials could expose entire communities, browser cookies could provide session access to financial and development accounts without requiring passwords, and compromised Roblox developer credentials could affect the players of any games that developer maintains.
The supply chain attack vector is becoming more prevalent precisely because it scales well for attackers: one convincing malicious package can infect every developer who installs it, and the secondary blast radius includes every user or community downstream of those developers. The log4j vulnerability — not itself a supply chain attack but an illustration of how ubiquitous a widely-adopted package becomes — demonstrated that the software industry’s reliance on shared dependencies creates systemic exposure. When the dependency is deliberately malicious rather than accidentally vulnerable, the attack is targeted and immediate rather than requiring exploitation. For developers: audit packages before installing, check download counts and publish dates against the legitimate package you intend to install, and watch for packages with names that are close variations of well-known ones. For Roblox developers specifically: check your installed NPM packages against known-good versions, rotate any Discord tokens or credentials that may have been accessible on affected machines, and treat any machine that ran one of these packages as potentially compromised until verified otherwise.
Leave a Reply