back to article The inside story of ransomware repeatedly masquerading as a popular JS library for Roblox gamers

Since early September, Josh Muir and five other maintainers of the noblox.js package, have been trying to prevent cybercriminals from distributing ransomware through similarly named code libraries. Noblox.js is a wrapper for the Roblox API, which many gamers use to automate interactions with the hugely popular Roblox game …

  1. Anonymous Coward
    Anonymous Coward

    Proactive? Absolutely not.

    If someone notifies you about an issue and you don't even bother to reply for two days and then take WEEKS to merely open a trouble ticket to begin an investigation then that is not proactive, it's called dragging your worthless ass in the hopes it goes away on it's own.

    1. This post has been deleted by its author

      1. veti Silver badge

        Re: Proactive? Absolutely not.

        I'm pretty sure that hosting scammers and bad actors free speech is a core part of Discord's business plan. They certainly try to present themselves as a relaxed and un-policed environment.

  2. 502 bad gateway

    Reads NPM, rolls eyes, sighs, gets downvoted by the global coalition of NodeJS developers, wistfully remembers a time when the delete key paved a way home from NPM Hell. Never again kiddies

  3. tiggity Silver badge


    If that advert for users to run bots and get paid (and then the greedy user fooled into installing the malware) is how people are getting infected by the malware then struggle to find much sympathy: wannabe crims conned by proper crims.

    1. Sandtitz Silver badge

      Re: Sympathy?

      "and then the greedy user fooled into installing the malware"

      Those greedy people can very well be 10-year-olds who know nothing about malware but would happily take those video game currency units for something they think is cool and innocuous. ("running bots on my computer" sounds like something that'll get you street cred at school)

    2. Al fazed Bronze badge

      Re: Sympathy?

      The targets are under 13 years of age.


    3. Neztore

      Re: Sympathy?

      I think this is due to a misconception of what a bot actually is, in this case.

      A 'bot' here is more referring to a Discord chat bot, or Roblox group bot.

      These are (usually) not malicious, so it's totally possible that the victims thought it was a perfectly ethical scheme to get involved in, despite who was running it.

      This isn't the only way the malware is spread either, it's still squatting on the NPM registry and will be installed by unknowing users who have nothing to do with this individual prior to seeing the package and installing it.

      Given some of the packages install counts were inflated (into the hundreds of thousands), to a child or fresh-faced developer they may not look too out of place.

  4. Snake Silver badge


    "Seems to behave like ransom, except without the locking of files, only the overwriting of MBR"

    Can ONE person give me a DAMN good reason why JS was granted this level of power in the first place??! What is the use of the theory of a sandbox if the sandbox has admin-level powers in the first place?

    1. vtcodger Silver badge

      Re: JS?

      You got me curious, so I spent 15 minutes on the internet and am therefore now an EXPERT. It looks to me like "sandboxes" maybe aren't exactly built into the Javascript language or its interpreter as many of us assume. Perhaps we are expected to bring our own sandbox to the party which we do through our choice of browser(s). I certainly hope I'm wrong about that.

      Perhaps someone who actually understands Javascript sandboxes would care to explain to you and I how they work and how they can possibly be anything other than a thick application of cosmetics over a massive collection of security issues.

      BTW, I'm not sure one actually needs admin privileges to overwrite the MBR even without the help of Javascript. As least in older (pre UEFI) disk setups, the MBR (and all of track 0 for that matter) are not part of any file system and aren't protected by the usual OS mechanisms. You may have to bring your own "device driver" to overwrite them, but maybe that's not all that hard to do.

      1. Shalghar

        Re: JS?

        May i object that MBR protection has been part of most phoenix and even some ASUS BIOS options for at least a decade ?

        Sadly, not all versions and surely not the stripped down versions from Abit and the like.

        In any case, you do not need atrocities like UEFI to protect the MBR.

    2. CommonBloke

      Re: JS?

      I'd love to know that, too. Though, since it's installed and run as a NPM package, the javascript isn't run within a sandboxed browser, maybe that's how it manages to elevate access

  5. FeepingCreature Bronze badge

    The real problem is a lack of pervasive backups shipped with the OS

    "My computer broke again. Oh well, gimme half an hour and I'll restore from backup."

    There should be a simple action that any user, even and especially a child, can take in order to roll their computer back to a known good state.

    I think this is not primarily a ransomware problem, it's the fact that we consider it acceptable for the digital systems that run our lives to be stateful with irrevokable actions.

    Plus of course the lack of a permissions system worth a damn.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022