Programming @programming.dev abobla @lemm.ee 1 yr. ago

Roblox Game Devs Duped by Malicious npm Packages

www.cyber-oracle.com Roblox Game Devs Duped by Malicious npm Packages

Plus, How Malware Apps Are Using Sneaky APK Compression to Infect Users

Games @sh.itjust.works nanoUFO @sh.itjust.works 1 yr. ago

www.cyber-oracle.com /p/roblox-game-devs-duped-by-malicious

15 comments

At some point, npm supply chain attacks are going to stop being news and start being "Tuesday."

... JS on the backend was a mistake.
- JS was a mistake.
  
  It wouldn't have been if it kept to the original purpose of some simple tasks and such, but we can't have nice things.
- JS on the backend was a mistake.
  
  Typo squatting is not unique to JS.
  
  True, but it's uniquely bad in the JS world. Developers tend to rely on libraries in almost cartoonish excess.
  
  The language is shit in general, leading to an endless parade of frameworks and packages designed to paper over the sore spots.
  
  The lack of a well-rounded One True Standard Library™ means lots of trivial functionality needs to come from somewhere.
  
  Micro-dependencies are commonplace, leading to bloated dependency trees. I'd guess this is caused by a combination of both culture and the fact that you often want your JS artifacts to be as lean as possible.
Clickbait title.

The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like "noblox.js-vps," "noblox.js-ssh," and "noblox.js-secure," and they were distributed across specific version ranges

Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?

You would have to really go out of your way to get infected by stuff like this.

That being said, there are things npm could do to try to auto-detect "risky" packages (new, similar name to existing projects, few downloads, etc.) and require an additional layer of confirmation, or something like that.
- Also, as far as I can tell, they’re talking about devs that are building on the Roblox platform, not devs that are building the platform.
  
  In other words, random devs of varying skill levels getting name-squatted.
  
  It’s not good, but including Roblox in the title is definitely misleading/clickbait.
  
  It is a library to work with Roblox, saying Roblox isn't misleading. I can agree that "Roblox devs" is misleading though.
That’s why we need script blockers by default.

You've viewed 15 comments.