Here’s why popular code libraries are flooded with Roblox, Fortnite spam right now

News
By
last updated

PyPI, NuGet and npm filled with hundreds of junk packages

Fortnite Chapter 3 Header
(Image credit: Epic Games)

Open source code repositories PyPI, NuGet and npm have been polluted with a flood of junk packages relating to popular online games like Roblox and Fortnite, recent analysis shows.

As explained in a report from cybersecurity firm Sonatype, the junk packages do not contain malicious code. Instead, their associated README files direct visitors towards spam domains that claim to offer free in-game currency and custom skins.

These fraudulent domains are set up to harvest the personal information and account credentials of anyone who interacts with them.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Large-scale spam campaigns

As Sonatype notes, it is not uncommon for open source repositories to be abused as part of spam campaigns, because the low barrier to entry for submission creates the ideal conditions for cybercriminals.

However, the specific objective of these campaigns is less clear. The best guess among security researchers so far is that the spam packages are designed to boost the SEO performance of the malicious domains.

“One theory is, these spam campaigns are a ploy to improve the SEO for their spammy domains,” explained Ax Sharma, Security Researcher at Sonatype, in an email exchange with TechRadar Pro. “When someone searches for ‘free Roblox Robux’, the open source repository’s reputation and search index ranking lends credence to the attacker’s links, which may now shine through the search results.”

Read more

> LinkedIn is becoming a paradise for phishing attacks

> WordPress plugin bug exposes millions of sites to attack

> Microsoft Teams is not the sage haven you think

Although all affected repositories told Sonatype they have mechanisms in place to prevent these outlinks conferring an SEO advantage, their presence on the platforms may nonetheless improve their search engine rankings to some extent.

Sharma suggests the latest campaigns are particularly noteworthy for their focus on video games, especially those frequented by younger players. In addition to Fortnite and Roblox spam, Sonatype has recently identified multiple campaigns targeting users of Discord, a messaging platform popular among gamers.

One possibility is that cybercriminals have settled on younger gamers as an easy mark, because they are equipped with neither the skills to identify online scams nor the funds to pay for in-game microtransactions via legitimate routes.

TOPICS
Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
The Python banner logo on a computer screen running a code editor.
More malicious Python packages are on the loose, experts warn
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang &amp; Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
HTC Viverse

The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
See more latest
Most Popular
HTC Viverse
The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Maserati MC20 Autonomous
This AI-driven Maserati just hit 197.7mph without a human behind the wheel