This week, PyPI and NuGet open source repositories have been flooded with more than a hundred spam “Roblox” packages pointing to bogus links. Additionally, npm, the largest NodeJS package registry has also been seen battling spam packages.
In each case, the packages are practically empty; with no functional code. But, their README pages link to spam domains offering “free Robux generators” and tools for creating in-game items like custom skins.
Spammers polluting open source registries with links to pirated movies and warez sites is not novel—such shenanigans may help boost SEO for spam domains. This particular spam campaign tracked by Sonatype, along with our most recent discovery of malicious Roblox cookie and Discord token stealers paints an interesting pattern.
PyPI, npm, NuGet polluted with “Robux” and Fortnite spam
Yesterday, my colleague and data scientist Cody Nash alerted us to funny-sounding PyPI packages flagged by our automated malware detection systems. Except, these packages were neither malicious nor dependency confusion PoCs, and contained no functional code.
All of these packages and their READMEs pointed to a spammy domain: freerobux[.]best.
After our report to PyPI, these four dozen-plus packages were taken down. But, in the last 24 hours threat actors seem to also have targeted NuGet, the open-source registry of .NET packages with Robux spam [1, 2]:
In addition to the same freerobux[.]best domain seen on NuGet, other domains used for the spam campaign include:
All such links lead to bogus “Robux Generator” pages as shown below:
Domain gamedip[.]xyz with Roblox and Fortnite spam: