Using a technique known as typosquatting, hackers attempt to lure unsuspecting Roblox and Rust developers into downloading malicious software packages from the npm package repository and Rust Crates.io registry.
Roblox npm Packages
Since the beginning of August, researchers at ReversingLabs have identified more than a dozen malicious packages in the npm package repository targeting Roblox game developers. According to the researchers, the modules masquerade as a legitimate Node.js API wrapper (noblox.js), allowing them to interact with the Roblox platform to deploy the info-stealing malware Luna Token Grabber.
ReversingLabs named three packages that combined accounted for 963 downloads:
- noblox.js-vps (585 downloads)
- noblox.js-secure (243 downloads)
- noblox.js-ssh (135 downloads)
All three packages have been reported to the npm maintainers or removed.
Most commonly, malicious actors use typosquatting attacks to hijack URLs; however, the technique can also be applied to software dependencies by mimicking the name and functionality of legitimate packages.
Rust Crates.io Registry
Software supply chain security company, Phylum, reported on August 24 evidence of an early-stage typosquatting attack targeting the Crates.io Rust package registry.
According to Phylum, typosquatting attacks typically follow a pattern that starts with an attacker publishing a benign version of one or more packages. Once accepted, the attacker updates the packages with malicious code over the course of days or weeks. The code updates usually include a callback mechanism for communicating with the attacker, followed by deployment of a malicious payload.
Phylum detected the activity early and reported the potential malware campaign to the Rust Foundation on August 16. Their actions resulted in the eventual removal of the packages from the Crates.io registry.