ReversingLabs researchers have identified more than a dozen malicious packages on the npm public repository since the beginning of August, including multistage, malicious packages that placed Luna Grabber, an open-source information-stealing malware, on infected systems. In a replay of an attack uncovered two years ago, the malicious packages imitated the legitimate package noblox.js, a Node.js Roblox API wrapper used to write scripts that interact with the Roblox gaming platform.

This malicious campaign started at the beginning of August, with the first malicious package of interest published on August 1. At this time, the campaign is ongoing. ReversingLabs researchers have, in recent days, identified additional malicious packages: noblox.js-ssh and noblox.js-secure. The package noblox.js-ssh has been reported to the npm maintainers. The noblox.js-secure has subsequently been removed from npm, likely by the author.