npm · Malicious package advisory
Malwareroblox-api-client
MAL-2026-6097
Malicious code in roblox-api-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6) On `npm install`, postinstall.js fetches http://betterminecraft.fun/nettspend.bat over plain HTTP, writes it to the OS temp directory, and executes it via `cmd /c` on Windows (postinstall.js line 7 hardcodes the URL; line 15 spawns the temp file with `windowsHide: true`). The destination domain is unrelated to the package's stated purpose (a Roblox API client), the URL is mutable and unpinned, no hash or signature verification is performed, and the transport is cleartext HTTP — the operator can swap the served bytes at will. package.json metadata is placeholder-only (`author: your-name`, repo `github.com/your-username/roblox-api-client`), consistent with a hit-and-run squat rather than a legitimate publisher. This is a textbook install-time RCE dropper: any Windows developer running `npm install roblox-api-client` silently executes attacker-controlled code under their user account.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.