{ "id": "93b1a321-650f-4574-86e0-6bd75f8aa581", "created_at": "2026-04-06T01:31:23.299235Z", "updated_at": "2026-04-10T03:33:30.007592Z", "deleted_at": null, "sha1_hash": "c94be54075d01d150d9e15f523e6ec78c202ddec", "title": "Luna Grabber Malware Targets Roblox Gaming Devs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1452366, "plain_text": "Luna Grabber Malware Targets Roblox Gaming Devs\r\nBy Dark Reading Staff\r\nPublished: 2023-08-25 · Archived: 2026-04-06 00:55:39 UTC\r\n1 Min Read\r\nSource: SOPA Images Limited via Alamy Stock Photo\r\nSince the start of this month, researchers at ReversingLabs have found a host of malicious, multistage packages on\r\nthe npm public repository that implant an open source, information-stealing malware known as Luna Grabber.\r\nTo infect its victims, the packages imitate a legitimate package, such as noblox.js — \"a Node.js Roblox API\r\nwrapper used to write scripts that interact with the Roblox gaming platform,\" according to a ReversingLabs\r\nanalysis on the campaign. The malicious packages reproduce code from the legitimate package but add\r\ninformation-stealing functions to the mix. \r\nDevelopers of the scripts that ultimately run on the Roblox platform could thus unwittingly fall prey to Luna\r\nGrabber, which is an \"open-source malware designed to steal information from the user's local web browser,\r\nDiscord application, and more,\" according to ReversingLabs.\r\nhttps://www.darkreading.com/vulnerabilities-threats/luna-grabber-malware-targets-roblox-gaming-devs\r\nPage 1 of 2\n\nThe researchers first came upon these types of campaigns while monitoring the npm public repository, and\r\nnoblox.js-vps was the first malicious package they happened upon. The package displayed suspicious behaviors,\r\nsuch as executing commands in the command line, containing URLs that linked to Discord attachments,\r\nenumerating files in a given directory, and enumerating user information, among other actions. Since then,\r\nReversingLabs researchers have also identified other malicious packages that are similar, such as noblox.js-ssh\r\nand noblox.js-secure.\r\n\"Even though the impact of noblox.js-vps and other malicious packages in this campaign wasn't high, it is a\r\nreminder to security and software development teams that threats lurk consistently in open-source repositories,\r\nmaking choosing which package to include in the development process critical,\" wrote the researchers. \r\nAbout the Author\r\nDark Reading\r\nDark Reading is a leading cybersecurity media site.\r\nSource: https://www.darkreading.com/vulnerabilities-threats/luna-grabber-malware-targets-roblox-gaming-devs\r\nhttps://www.darkreading.com/vulnerabilities-threats/luna-grabber-malware-targets-roblox-gaming-devs\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.darkreading.com/vulnerabilities-threats/luna-grabber-malware-targets-roblox-gaming-devs" ], "report_names": [ "luna-grabber-malware-targets-roblox-gaming-devs" ], "threat_actors": [ { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439083, "ts_updated_at": 1775792010, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c94be54075d01d150d9e15f523e6ec78c202ddec.pdf", "text": "https://archive.orkl.eu/c94be54075d01d150d9e15f523e6ec78c202ddec.txt", "img": "https://archive.orkl.eu/c94be54075d01d150d9e15f523e6ec78c202ddec.jpg" } }