• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
malicious npm libraries caught installing password stealer and ransomware

Malicious NPM Libraries Caught Installing Password Stealer and Ransomware

You are here: Home / General Cyber Security News / Malicious NPM Libraries Caught Installing Password Stealer and Ransomware
October 28, 2021

Destructive actors have nevertheless yet again published two additional typosquatted libraries to the official NPM repository that mimic a genuine package from Roblox, the activity organization, with the goal of distributing stealing credentials, putting in remote obtain trojans, and infecting the compromised units with ransomware.

The bogus packages — named “noblox.js-proxy” and “noblox.js-proxies” — have been uncovered to impersonate a library identified as “noblox.js,” a Roblox activity API wrapper readily available on NPM and offers of just about 20,000 weekly downloads, with every single of the poisoned libraries, downloaded a overall of 281 and 106 situations respectively.

Automatic GitHub Backups

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


According to Sonatype researcher Juan Aguirre, who found the destructive NPM deals, the writer of noblox.js-proxy 1st published a benign version that was later on tampered with the obfuscated text, in actuality, a Batch (.bat) script, in the article-installation JavaScript file.

This Batch script, in change, downloads malicious executables from Discord’s Written content Supply Network (CDN) that are liable for disabling anti-malware engines, achieving persistence on the host, siphoning browser qualifications, and even deploying binaries with ransomware abilities.

Latest investigate from Test Stage Research and Microsoft-owned RiskIQ exposed how threat actors are more and more abusing Discord CDN, a system with 150 million buyers, to persistently deliver 27 distinctive malware households, ranging from backdoors and password stealers to spy ware and trojans.

While each the destructive NPM libraries have considering the fact that been taken down and are no for a longer period out there, the findings are still a different sign as to how well-known code registries like NPM, PyPI, and RubyGems have emerged as a profitable frontier for carrying out a range of attacks.

The disclosure also mirrors a latest supply-chain attack aimed at “UAParser.js,” a well known JavaScript NPM library with in excess of 6 million weekly downloads, that resulted in the developer’s account becoming hijacked to corrupt the deal with cryptocurrency mining and credential-thieving malware, times soon after a few other copycat crypto-mining packages were being purged from the registry.

Uncovered this write-up intriguing? Stick to THN on Fb, Twitter  and LinkedIn to read a lot more exclusive written content we publish.


Some parts of this short article are sourced from:
thehackernews.com

Previous Post: «wordpress plugin bug lets subscribers wipe sites WordPress Plugin Bug Lets Subscribers Wipe Sites
Next Post: New Wslink Malware Loader Runs as a Server and Executes Modules in Memory new wslink malware loader runs as a server and executes»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.