Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
About • Prerequisites • Installation • Docs • Examples • YouTube Series • Credits • License
Noblox.js is a node module that was forked from sentanos's roblox-js module. This project was created because the roblox-js repository was no longer maintained by sentanos.
Noblox.js allows you to do things you would normally do on the Roblox website through a Node.js interface. You can use noblox.js along with Roblox's HttpService feature to create scripts that interact with the website. If you're looking for more information on how to create something like this, check out this repository by sentanos. Keep in mind that this does not use the latest version of this module and it is highly encouraged that you learn to use the library directly.
With node.js installed simply run:
# Run this to install noblox.js locally to your repository.
$ npm install noblox.js --save
# if you're using yarn:
$ yarn add noblox.js
# Run this instead to install noblox.js globally so you can use it anywhere.
$ npm install noblox.js -g
That's it!
You can find the current noblox.js wiki with all API documentation here. Keep in mind that all methods may not be documented.
Note, as of v4.6.0 The way you log in to Noblox has changed significantly. The library is no longer responsible for refreshing your cookies
This is because of many reasons including that creating a file caused several security/usability issues and made the library incompatible with some hosts.
login
or cookieLogin
methods.setCookie
with your cookie. This will store your cookie internally and validate itNote: By default, setCookie will validate the cookie you provide by making a HTTP request. To Disable this behaviour, pass
false
as the second parameter (validate)
Control + Shift + i
on your keyboardApplication
.ROBLOSECURITY
. Copy its contents, which will start with: _|WARNING:-DO
rbx.setCookie( tokenHere )
This example makes use of the new async-await syntax.
const rbx = require("noblox.js")
async function startApp () {
await rbx.setCookie("_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_F9F1EA531adk")
// Do everything else, calling functions and the like.
let currentUser = await rbx.getCurrentUser()
}
In July 2020 Roblox updated the endpoint we used to get CSRF tokens (auth.roblox.com/v1/logout
) and essentially disabled it.
They didn't warn anyone of this change so as of v4.6.3 we've updated to a new endpoint that works.
To make use of the new fix, run npm install noblox.js@4.6.3
. Alternatively, use latest
to get the latest version.
We previously advised users to refresh cookies. This is no longer the case. Your Roblox authentication cookies will not expire as long as you do not log into the account, or use the log out or "Sign out all sessions" buttons.
For this reason, we advise you use a bot account.
MIT
FAQs
A Node.js wrapper for ROBLOX. (original from sentanos)
The npm package noblox receives a total of 52 weekly downloads. As such, noblox popularity was classified as not popular.
We found that noblox demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.