Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
About • Prerequisites • Installation • Quickstart • Documentation • Common Issues • YouTube Series • Credits • License
noblox.js
is an open-source Roblox API wrapper written in JavaScript (with TypeScript compatibility) as a fork from sentanos's roblox-js module.
This NPM package enables operations froms the Roblox website to be executed via NodeJS; many individuals leverage noblox.js
along side Roblox's HTTPService to create in-game scripts that interact with the website, i.e. promote users, shout events, and so on, or to create Discord utiltiies to manage their community.
If you are looking for more information on how to create something like this, check out our sister library, noblox.js-server
or our YouTube series. Keep in mind that these resources may not always be up to date, so it is highly encouraged that you learn to use the noblox.js
library directly.
With node.js installed simply run:
# Run this to install noblox.js locally to your repository.
$ npm install noblox.js
# Alternatively, if you are using yarn:
$ yarn add noblox.js
# To use noblox.js anywhere, run this code to install the package globally:
$ npm install noblox.js -g
That's it!
You can locate the noblox.js
documentation here; keep in mind some internal or legacy methods may not be documented.
You may notice our documentation utilizes emojis in every function description; they have meanings!
Icon | Description |
---|---|
🔐 | Authentication through setCookie() is required to use this method.1 |
🔓 | Authentication through setCookie() is required in some use-cases; dependent on the target's privacy settings. |
✅ | No authentication is required to use this method. |
1 : Extended permissions may be required such as edit permissions or account ownership.
Retrieve your .ROBLOSECURITY
cookie. Instructions on how to do that can be found here.
Write your code.
Using async/await
syntax:
const noblox = require('noblox.js')
async function startApp () {
// You MUST call setCookie() before using any authenticated methods [marked by 🔐]
// Replace the parameter in setCookie() with your .ROBLOSECURITY cookie.
const currentUser = await noblox.setCookie('_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_6E6F626C6F782E6A73')
console.log(`Logged in as ${currentUser.UserName} [${currentUser.UserID}]`)
// Do everything else, calling functions and the like.
const groupInfo = await noblox.getGroup(9997719)
console.log(groupInfo)
}
startApp()
You are now using noblox.js!
Promises are fundamental to this library; if you are unfamiliar with JavaScript promises, we recommend you check out our tutorial here, and Daniel Shiffman's JavaScript series.
It is bad practice to store your .ROBLOSECURITY
cookie inside your codebase; it is too easy to accidentally screenshot or push this private key to GitHub. We recommend using a package such as dotenv
to store your private information in environmental variables.
We recommend using a secondary account for botting purposes.
Consult their documentation or follow this video.
In the event of accidentally exposing your .ROBLOSECURITY
cookie, do not panic. Go to Account Settings
> Security
, select Sign out of all other sessions
, then log out of your account. This should invalidate your .ROBLOSECURITY
cookie.
Error: You are not logged in.
You may be calling a function before setCookie()
is completed; make sure that you are awaiting setCookie()
before initializing any event listeners or function calls.
noblox.js
is a promise based library, this enables you to run operations concurrently; however if you are not awaiting your promises, this means while setCookie()
is validating your cookie, your other functions will continue to run- ~30ms is a long time at the computer scale.
Promises are fundamental to this library; if you are unfamiliar with JavaScript promises, we recommend you check out our tutorial here, and Daniel Shiffman's JavaScript series.
Error: 400 The roleset is invalid or does not exist.
You likely are using a rankId
(0 - 255) instead of a rolesetId
(>255); a rolesetId
is a unique identifier for a role which you can find by calling getRoles(groupId)
.
Roblox's naming scheme is a fickle beast; similarly, a developerProductId
is different than a productId
(which appears on the public facing dashboard); use getDeveloperProducts(placeId)
to see the developerProductId
.
Error: Initialization failed: 401 Authorization has been denied for this request.
First, see the steps for Error: You are not logged in
.
If this is unresolved, are you sure the bot has permissions to access this resource? Can you do this operation manually on the website through the bot account?
At the end of the day, a 'bot' is a user account, it cannot magically bypass privacy restrictions or group permissions.
FAQs
A Node.js API wrapper for Roblox.
The npm package noblox.js receives a total of 1,431 weekly downloads. As such, noblox.js popularity was classified as popular.
We found that noblox.js demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.