New 'Mad Liberator' Ransomware Gang Targets AnyDesk Users via Fake Windows Updates
Published on August 19, 2024
Dozens of malicious NPM packages designed to steal sensitive data and compromise systems have been detected mimicking the widely-used “noblox.js” library, particularly targeting the Roblox platform. This campaign, which began in August 2023, continues to pose a threat, with the latest malicious packages surfacing as recently as August 2024.
The Roblox platform has a massive user base of over 70 million daily active users. New malicious packages continue to appear despite multiple package takedowns, with some still active on the NPM registry.
The perpetrators of this campaign have employed advanced tactics like brandjacking, combo squatting, and carjacking, which enhance the perceived legitimacy of their malicious packages.
These tactics fall under the broader category of typosquatting. By creating package names like "noblox.js-async," "noblox.js-thread," and "noblox.js-api," attackers exploit developers' familiarity with multiple versions or extensions of libraries, tricking them into installing these malicious entities.
Starjacking involves linking malicious packages to the GitHub repository URL of the legitimate “noblox.js” package. This technique falsely inflates the popularity and trustworthiness of the malicious packages, misleading developers into believing they are genuine.
The malware can compromise Discord accounts via stealing tokens, collect sensitive system data, manipulate the Windows registry to execute malware whenever the Windows Settings app is opened, and deploying additional payloads such as the Quasar RAT.
Although these malicious packages have been removed from NPM, the compromised GitHub repository containing executable files remains active.
Quasar RAT is an open-source RAT widely used by malicious actors, mainly in phishing campaigns. It offers a rich set of capabilities and is freely available on public repositories.