Developers for popular online platform game Roblox are being reportedly targeted with information-stealing malware.
An unknown malicious actor has been seeding dozens of open-source software packages with malware referred to as ‘LunaGrabber’, beginning on August 1, 2023. Developers have been tricked into clicking on the malware-ridden software packages as they are disguised as commonly used pieces of software on open-source software library, npm. This includes the legitimate code developers were searching for also being included in the package, along with the LunaGrabber malware.
The malicious actor’s actions were discovered by researchers at cyber security company ReversingLabs, who published their findings on August 22.
The researchers found that, once downloaded onto a device, LunaGrabber will be deployed on the victim’s web browser, Discord application as well as other sources.
Lucija Valentić, a software threat researcher at ReversingLabs explained that “the malicious packages imitated the legitimate package noblox.js, a Node.js Roblox application programming interface (API) wrapper used to write scripts that interact with the Roblox gaming platform”. Valenti ć also confirmed that “developers who write scripts to run on the Roblox gaming platform” were the intended targets of the malware campaign.
Roblox developer data exposed in data breach
Attendees of the Roblox Developer Conference between 2017-2021 may have had their personal data leaked.
News of the data breach was broken on July 18, 2023, on X (previously known as Twitter) by Troy Hunt, creator of the site Have I Been Pwned. Have I Been Pwned allows users to search their name and details to see if they have been leaked in any data breaches.
In an anonymous message sent to Hunt, a source said that all those who attended the Roblox Developer Conference had their data leaked. According to the source, the data accessed during the cyber attack included full names, birth dates, email, home and IP addresses and phone numbers. The source also said that the data had been posted online.
Another source contacted Hunt about the data leak. The source backed up information already sent to Hunt, while also alleging that Roblox never publicly or internally disclosed the data leak, meaning those affected were not informed about the cyber attack.
The source said the leak had been re-published online recently, where it had been garnering “significant attention” from both malicious and non-malicious parties. The source alleged that this re-publishing of stolen data had seen “high-profile users” receive “malicious calls, texts and emails”.
On July 20, Roblox addressed the data leak, saying to Hunt that the company had contacted everyone affected.
Concerning the data leak notifications, Roblox said that: “Minimally affected users just got a sorry email. For more seriously affected users they got a year of identity protection and an apology for everyone else.”
On July 24, a Roblox spokesperson reached out to Cyber Security Hub regarding the data leak, saying: "Roblox is aware of a third-party security issue where there were indications of unauthorised access to limited personal information of a subset of our creator community. We engaged independent experts to support the investigation led by our information security team.
"Those who were impacted have received an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third party vendors."