Malicious Packages Target Roblox Developers

Aug 23 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that, when it comes to cybersecurity, fights fire with… a firewall ????

Today’s hottest cybersecurity news stories:

  • ???? Roblox Game Developers hit with malicious npm packages ????

  • ???? Spacecolon toolset powers worldwide surge in Scarab ransomware attacks ????

  • ???? A look Inside the new State of SaaS Security Posture Management Report ????

Wonder if they wrapped them… What’’s that? Oh, different kind of package, huh? ????

???? Malicious Packages Target Roblox Developers with Luna Token Grabber! ????

???? In a concerning development, over a dozen malicious packages have emerged on the npm package repository since August 2023.

These packages have the ability to deploy a dangerous open-source information stealer named Luna Token Grabber onto systems owned by Roblox developers. ????️‍♂️ ReversingLabs, a software supply chain security company, detected this ongoing attack campaign on August 1.

???? The attack strategy involves disguising these harmful modules as the legitimate "noblox.js" package, an API wrapper used for scripting interactions with the Roblox gaming platform. The malicious packages mimic code from the authentic noblox.js package but introduce harmful functions to steal sensitive information. ????️????

???? These rogue packages had already been downloaded a total of 963 times before they were identified and removed. Some of the malicious package names include "noblox.js-vps," "noblox.js-ssh," and "noblox.js-secure," with specific versions listed for each.

???? ReversingLabs highlights the complex nature of this attack, emphasising that malicious actors put significant effort into disguising their packages as legitimate ones. The malicious modules cleverly hide their harmful code in a separate file. Sneaky, sneaky!

⚠️ This incident underscores the trend of malicious actors using typosquatting to deceive developers into downloading harmful code disguised as legitimate packages.

Developers are urged to remain vigilant and verify package authenticity to protect their systems and user data. Stay safe! ????????????️

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

Time for a colonoscopy? ????????????

???? Malicious Toolset "Spacecolon" Spreading Scarab Ransomware Globally! ????

⚠️ An ongoing campaign deploying the Spacecolon toolset is distributing various versions of the Scarab ransomware across organisations worldwide. ESET security researcher Jakub Souček revealed that the toolset likely gains entry through compromised web servers or RDP credential brute-forcing.

???? Slovak cybersecurity firm ESET, naming the threat actor "CosmicBeetle," traced Spacecolon's origins back to May 2020. Most victims are concentrated in France, Mexico, Poland, Slovakia, Spain, and Turkey.

???? While the adversary's exact origin is uncertain, Turkish strings within some Spacecolon variants suggest a Turkish-speaking developer's involvement. No current evidence links it to known threat groups.

???? Targets range from a Thai hospital to an Israeli insurance company, a Polish governmental institution, a Brazilian entertainment provider, a Turkish environmental firm, and a Mexican school.

⚙️ Spacecolon's core is ScHackTool, a Delhi-based orchestrator installing ScService—a backdoor with command execution, payload downloading, and system info retrieval capabilities. It fetches third-party tools from a remote server. The aim is to deliver Scarab ransomware via ScService.

???? CosmicBeetle also deploys ScRansom, encrypting drives using AES-128 with a hard-coded key. Interestingly, the adversary leaves traces on compromised systems, with little anti-analysis measures.

????️ "Spacecolon shows little effort to hide its malware and leaves artefacts," Souček noted. "CosmicBeetle operators use ScHackTool to download tools of choice to compromised machines."

Stay vigilant! ????????????

????️ Extra, Extra! Read all about it! ????️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!


  • ????The Crypto Nutshell: Crypto News & Expert Predictions all in a nutshell ????

  • ????The Breakthrough: Receive one idea, one question, and one exercise each week that could spark your next breakthrough.

  • ✈️ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

Let us know what you think!

Don’t SaaS me! ????

???? SaaS (Software-as-a-Service) Cybersecurity: Insights from Latest Report! ????

???? The recent State of SaaS Security Posture Management Report by AppOmni highlights cybersecurity's growing significance in the SaaS landscape. While respondents expressed optimism, the reality of SaaS incidents and breaches unveils a different story.

???? Over 600 leaders from companies with 500-2,500+ employees participated, noting their confidence in SaaS cybersecurity readiness. 71% ranked their SaaS cybersecurity maturity as mid-high or highest level, and 73% rated SaaS application security similarly high.

???? However, despite the confidence, 79% admitted to experiencing SaaS cybersecurity incidents in the past year. These incidents occurred even with cybersecurity policies enforced (66%).

????️ SaaS breaches can cost organisations significantly, averaging $4.45 million in 2023. Over 85% believe their data is secure, yet breaches remain prevalent due to misconfigurations and exposure.

???? SaaS usage is underestimated. Gartner noted a 29% CAGR for SaaS-related services (2017-2022). Yet, legacy tools lack efficacy as SaaS threats shift. SaaS-to-SaaS connections pose risk with 60% unable to monitor them.

???? Key misconceptions include SaaS data security, risk visibility, and the SaaS cyber threat model. Respondents' confidence often contrasts AppOmni's findings, emphasising the need for dedicated cybersecurity.

????️ A robust SaaS cybersecurity program is vital for sustained protection, reducing vulnerabilities and fostering proactive security.

???? Embrace dedicated tools and programs to shift from perceived to actual SaaS cybersecurity confidence. Stay ahead of evolving threats! ????????????

So long and thanks for reading all the phish!

Recent articles