NPM packages disguised as Roblox API code caught carrying ransomware

2021-10-27 20:43

Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper.

Js, a Roblox game API wrapper available on NPM and as a standalone download. Roblox is a gaming platform with more than 40 million daily active users.

Only a few days earlier, Sonatype spotted three more NPM libraries packed with cryptomining code.

Js is downloaded about 22,000 times a month from NPM and, according to Sonatype, has been downloaded more than 700,000 times.

Asked why NPM failed to catch these bad packages when they were created, Sharma said it's a consequence of open source ecosystems and registries needing to maintain low barriers to entry so anyone in the community has an easy way to contribute.

"Further complicating the matter is a gray area where security researchers will post proof-of-concept test packages as a part of research or bug bounty activities. What is seen as an effort to be more open, unfortunately means many open source registries don't have strict security validations that could keep malicious typosquats and packages out."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/10/27/npm_roblox_ransomware/

#API #NPM #ransomware #roblox