Malicious Packages Target Roblox Developers

Aug 23 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that, when it comes to cybersecurity, fights fire withโ€ฆ a firewall ๐Ÿ˜

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿค– Roblox Game Developers hit with malicious npm packages ๐Ÿ“ฆ

  • ๐Ÿช Spacecolon toolset powers worldwide surge in Scarab ransomware attacks ๐Ÿ’ฐ

  • ๐Ÿ”Ž A look Inside the new State of SaaS Security Posture Management Report ๐Ÿ“

Wonder if they wrapped themโ€ฆ Whatโ€™โ€™s that? Oh, different kind of package, huh? ๐Ÿ™ˆ

๐Ÿ”’ Malicious Packages Target Roblox Developers with Luna Token Grabber! ๐Ÿ”’

๐Ÿ“ข In a concerning development, over a dozen malicious packages have emerged on the npm package repository since August 2023.

These packages have the ability to deploy a dangerous open-source information stealer named Luna Token Grabber onto systems owned by Roblox developers. ๐Ÿ•ต๏ธโ€โ™‚๏ธ ReversingLabs, a software supply chain security company, detected this ongoing attack campaign on August 1.

๐ŸŽฎ The attack strategy involves disguising these harmful modules as the legitimate "noblox.js" package, an API wrapper used for scripting interactions with the Roblox gaming platform. The malicious packages mimic code from the authentic noblox.js package but introduce harmful functions to steal sensitive information. ๐Ÿ•ท๏ธ๐Ÿ’ป

๐Ÿ“ฅ These rogue packages had already been downloaded a total of 963 times before they were identified and removed. Some of the malicious package names include "noblox.js-vps," "noblox.js-ssh," and "noblox.js-secure," with specific versions listed for each.

๐Ÿ’ก ReversingLabs highlights the complex nature of this attack, emphasising that malicious actors put significant effort into disguising their packages as legitimate ones. The malicious modules cleverly hide their harmful code in a separate file. Sneaky, sneaky!

โš ๏ธ This incident underscores the trend of malicious actors using typosquatting to deceive developers into downloading harmful code disguised as legitimate packages.

Developers are urged to remain vigilant and verify package authenticity to protect their systems and user data. Stay safe! ๐Ÿšจ๐Ÿ”’๐Ÿ›ก๏ธ

I came across ZZZ money club during the crypto market bull run when everyoneโ€™s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

Time for a colonoscopy? ๐Ÿ˜ฌ๐Ÿ˜‚๐Ÿ’€

๐ŸŒŒ Malicious Toolset "Spacecolon" Spreading Scarab Ransomware Globally! ๐ŸŒŒ

โš ๏ธ An ongoing campaign deploying the Spacecolon toolset is distributing various versions of the Scarab ransomware across organisations worldwide. ESET security researcher Jakub Souฤek revealed that the toolset likely gains entry through compromised web servers or RDP credential brute-forcing.

๐Ÿ”’ Slovak cybersecurity firm ESET, naming the threat actor "CosmicBeetle," traced Spacecolon's origins back to May 2020. Most victims are concentrated in France, Mexico, Poland, Slovakia, Spain, and Turkey.

๐ŸŒ While the adversary's exact origin is uncertain, Turkish strings within some Spacecolon variants suggest a Turkish-speaking developer's involvement. No current evidence links it to known threat groups.

๐ŸŽฏ Targets range from a Thai hospital to an Israeli insurance company, a Polish governmental institution, a Brazilian entertainment provider, a Turkish environmental firm, and a Mexican school.

โš™๏ธ Spacecolon's core is ScHackTool, a Delhi-based orchestrator installing ScServiceโ€”a backdoor with command execution, payload downloading, and system info retrieval capabilities. It fetches third-party tools from a remote server. The aim is to deliver Scarab ransomware via ScService.

๐Ÿ”‘ CosmicBeetle also deploys ScRansom, encrypting drives using AES-128 with a hard-coded key. Interestingly, the adversary leaves traces on compromised systems, with little anti-analysis measures.

๐Ÿ›ก๏ธ "Spacecolon shows little effort to hide its malware and leaves artefacts," Souฤek noted. "CosmicBeetle operators use ScHackTool to download tools of choice to compromised machines."

Stay vigilant! ๐Ÿšจ๐Ÿ”’๐ŸŒ

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!


  • ๐Ÿ’ฐThe Crypto Nutshell: Crypto News & Expert Predictions all in a nutshell ๐Ÿ’ช

  • ๐Ÿ“ˆThe Breakthrough: Receive one idea, one question, and one exercise each week that could spark your next breakthrough.

  • โœˆ๏ธViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

Let us know what you think!

Donโ€™t SaaS me! ๐Ÿ˜

๐Ÿ” SaaS (Software-as-a-Service) Cybersecurity: Insights from Latest Report! ๐Ÿ”

๐Ÿ“Š The recent State of SaaS Security Posture Management Report by AppOmni highlights cybersecurity's growing significance in the SaaS landscape. While respondents expressed optimism, the reality of SaaS incidents and breaches unveils a different story.

๐Ÿ‘ฅ Over 600 leaders from companies with 500-2,500+ employees participated, noting their confidence in SaaS cybersecurity readiness. 71% ranked their SaaS cybersecurity maturity as mid-high or highest level, and 73% rated SaaS application security similarly high.

๐Ÿšซ However, despite the confidence, 79% admitted to experiencing SaaS cybersecurity incidents in the past year. These incidents occurred even with cybersecurity policies enforced (66%).

๐Ÿ›ก๏ธ SaaS breaches can cost organisations significantly, averaging $4.45 million in 2023. Over 85% believe their data is secure, yet breaches remain prevalent due to misconfigurations and exposure.

๐ŸŒ SaaS usage is underestimated. Gartner noted a 29% CAGR for SaaS-related services (2017-2022). Yet, legacy tools lack efficacy as SaaS threats shift. SaaS-to-SaaS connections pose risk with 60% unable to monitor them.

๐Ÿ” Key misconceptions include SaaS data security, risk visibility, and the SaaS cyber threat model. Respondents' confidence often contrasts AppOmni's findings, emphasising the need for dedicated cybersecurity.

๐Ÿ›ก๏ธ A robust SaaS cybersecurity program is vital for sustained protection, reducing vulnerabilities and fostering proactive security.

๐Ÿš€ Embrace dedicated tools and programs to shift from perceived to actual SaaS cybersecurity confidence. Stay ahead of evolving threats! ๐Ÿ”’๐Ÿ”๐ŸŒ

So long and thanks for reading all the phish!

Recent articles