From the start of August, ReversingLabs has detected over a dozen harmful packages within the npm public repository. These multistage packages implant Luna Grabber, an open-source, info-stealing malware.
Diving into details
The campaign employs malicious npm packages that mimic the popular noblox.js package, a Node.js Roblox API wrapper. The genuine "noblox.js" package, an open-source Roblox API wrapper, facilitates the use of JavaScript for generating scripts that engage with the Roblox website.
These fake packages, including noblox.js-vps, noblox.js-ssh, and noblox.js-secure, house malicious multi-stage payloads. One of the most significant payloads identified is the Luna Grabber info-stealer.
Dissecting Luna Grabber
Luna Grabber functions as an info-stealer designed to extract data from web browsers, Discord applications, and local system configurations.
- It can identify virtual environments and possesses a self-destruct feature.
- Luna Grabber boasts high levels of adaptability and comes with comprehensive guidelines on its GitHub page, explaining how to build a harmful executable.
Researchers had observed something similar when the highly customizable TurkoRat malware was identified on GitHub back in May.
The bottom line
Once more, this campaign underscores the recurring strategy of threat actors employing typosquatting as a tactic to deceive developers into downloading malicious code, wrapped up as genuine packages with similar names. It is, furthermore, important to highlight the utilization of Luna Grabber to create malicious executables, which function as lures in phishing and supply chain attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/c9b5_Shutterstock_2182586873.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2cb5_shutterstock_2289090177.jpg)
