Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious NPM Libraries Install Ransomware, Password Stealer

Malicious NPM Libraries Install Ransomware, Password Stealer


Malicious NPM packages pretending to be Roblox libraries are delivering ransomware and password-stealing trojans on unsuspecting users.

The two NPM packages are named noblox.js-proxy and noblox.js-proxies, and use typo-squatting to pretend to be the legitimate Roblox API wrapper called noblox.js-proxied by changing a single letter in the library’s name.

Also Read: October 2021 PDPC Incidents and Undertaking: Lessons from the Cases

Malicious noblox.js-proxies NPM 

In a new report by open source security firm Sonatype with further analysis by BleepingComputer, these malicious NPMs are infecting victims with an MBRLocker ransomware that impersonates the notorious GoldenEye ransomware, trollware, and a password stealing trojan.

Both of the malicious NPM libraries have since been taken down and are no longer available.

A mess of malicious activity

After the malicious NPM libraries are added to a project and launched, the library will execute a postinstall.js script. This script is normally used to execute legitimate commands after a library is installed, but in this case, it starts a chain of malicious activity on victims’ computers.

As you can see below, the postinstall.js script is heavily obfuscated to prevent analysis by security researchers and software.

Also Read: How often should you pen test?

Obfuscated postinstall.js script
Obfuscated postinstall.js script

When executed, the script will launch the heavily obfuscated batch file called ‘nobox.bat,’ shown below.

Obfuscated noblox.bat batch file
Obfuscated noblox.bat batch file

This batch file was decoded by Sonatype security researcher Juan Aguirre and will download a variety of malware from Discord and launches them with the help of the fodhelper.exe UAC bypass

The files downloaded by the noblox.bat batch file are listed below in the order they are installed, along with their VirusTotal links and a description of their actions.

  • exclude.bat – Adds a Microsoft Defender exclusion not to scan files under the C:\ drive.
  • legion.exe – Deploys a password-stealing trojan that steals browser history, cookies, saved passwords, and attempts to record video via the built-in webcam.
  • 000.exe – Trollware that modifies the current user’s name to ‘UR NEXT,’ plays videos, changes a user’s password, and attempts to lock them out of their system.
  • tunamor.exe – Installs an MBRLocker called ‘Monster Ransomware,’ which impersonates the GoldenEye ransomware.

The Monster ransomware MBRLocker

Of particular interest is the ‘tunamor.exe’ executable, which installs an MBRLocker calling itself ‘Monster Ransomware.’

When executed, the ransomware will perform a forced restart of the computer and then display a fake CHKDSK of the system. During this process, the ransomware is allegedly encrypting the disks on the computer.

Fake CHKDSK while drives are encrypted
Fake CHKDSK while drives are encrypted
Source: BleepingComputer

When finished, it will reboot the computer and display a skull and crossbones lock screen originally found in the Petya/ GoldenEye ransomware families.

Monster ransomware lock screen
Monster ransomware lock screen
Source: BleepingComputer

After pressing enter, the victim is shown a screen stating that their hard disks are encrypted and that they must visit the http://monste3rxfp2f7g3i.onion/ Tor site, which is now down, to pay a ransom.

Monster ransomware ransom demand
Monster ransomware ransom demand
Source: BleepingComputer

BleepingComputer discovered the ‘qVwaofRW5NbLa8gj‘ string, which is accepted as a valid key to decrypt the computer. However, while the key is accepted and the ransomware states it is decrypting the computer, Windows will fail to start afterward.

Windows unable to start after entering key
Windows unable to start after entering key
Source: BleepingComputer

It is unclear if an additional string must be added to that key to decrypt the hard disk’s drive correctly or if this program is simply a wiper designed to destroy systems.

This ransomware does not appear to be widespread and is only known to be distributed via these NPM packages.

Based on the activity of the 000.exe trollware and the strange behavior of the Monster ransomware, it is likely that these packages are designed to destroy a system rather than generate a ransom demand.

Malicious NPMs used in supply-chain attacks, such as this one, are becoming more common.

Sonatype recently discovered three malicious NPM libraries used to deploy cryptominers on Linux and Windows devices.

Last Friday, the very popular UA-Parser-JS NPM library was hijacked to infect users with miners and password stealing trojans.




Password stealer


tunamor.exe (ransomware)



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us