Which versions of roblox-api-client are malicious?

The following npm versions of roblox-api-client are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate roblox-api-client if I installed it?

Remove roblox-api-client from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is roblox-api-client part of a known attack campaign?

Yes — roblox-api-client is associated with the IN-MAL-2026-006973 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect roblox-api-client in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking roblox-api-client and packages like it before any post-install script runs.

Malicious package

roblox-api-clientnpm

Malicious code in roblox-api-client (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6097

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall roblox-api-client

What this malware does

On npm install, postinstall.js fetches http://betterminecraft.fun/nettspend.bat over plain HTTP, writes it to the OS temp directory, and executes it via cmd /c on Windows (postinstall.js line 7 hardcodes the URL; line 15 spawns the temp file with windowsHide: true). The destination domain is unrelated to the package's stated purpose (a Roblox API client), the URL is mutable and unpinned, no hash or signature verification is performed, and the transport is cleartext HTTP — the operator can swap the served bytes at will. package.json metadata is placeholder-only (author: your-name, repo github.com/your-username/roblox-api-client), consistent with a hit-and-run squat rather than a legitimate publisher. This is a textbook install-time RCE dropper: any Windows developer running npm install roblox-api-client silently executes attacker-controlled code under their user account.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6

Frequently asked questions

No. roblox-api-client on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006973

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection