The two packages, named noblox.js-proxy and noblox.js-proxies, use typo-squatting to appear as the legitimate Roblox API wrapper called noblox.js-proxied by changing a single letter in the name.