Comment on Roblox Game Devs Duped by Malicious npm Packages
realharo@lemm.ee 1 year ago
The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like “noblox.js-vps,” “noblox.js-ssh,” and “noblox.js-secure,” and they were distributed across specific version ranges
Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?
You would have to really go out of your way to get infected by stuff like this.
atheken@programming.dev 1 year ago
Also, as far as I can tell, they’re talking about devs that are building on the Roblox platform, not devs that are building the platform.
In other words, random devs of varying skill levels getting name-squatted.
It’s not good, but including Roblox in the title is definitely misleading/clickbait.
JackbyDev@programming.dev 1 year ago
It is a library to work with Roblox, saying Roblox isn’t misleading. I can agree that “Roblox devs” is misleading though.
atheken@programming.dev 1 year ago
It’s misleading because it’s irrelevant and makes it sound like a platform breach.
Try replacing Roblox with “Foozsplatz” and the implication of severity are completely different.
JackbyDev@programming.dev 1 year ago
I’m confused, in this hypothetical is Foozsplatz a non sense word or is it meant to be a game like Roblox? If you mean the first, then yeah, obviously replacing a proper noun with gibberish changes the implication. If you mean the second then no, it would have the same implication.