The two NPM packages, noblox.jsproxy and noblox.jsproxies, exploit typosquatting to impersonate the official Roblox API wrapper noblox. By changing a single letter in the library’s name, it becomes jsproxied.
The malicious NPM modules will run a postinstall.js script after being added to a project and activated. This script is often used to run lawful actions once a library is installed, but in this case, it initiates a chain of malicious activities on the machines of the victims.