🌙 Moonlight Client (MOOMOO.IO) 🌙 was reported 30.12.2025 for Missing, non-informative, or misleading description
This code, titled "Moonlight Client," is a prime example of why the browser-based gaming community often struggles with stability and fairness. Beyond the obvious ethical issue of creating a "cheat," the script is architecturally messy, technically inefficient, and contains questionable social engineering tactics.
Here is a breakdown of everything wrong with this code:
1. Coercive and Deceptive UX
The script begins with an alert() that claims it "will not work unless you join our Discord server first."
The Lie: Technically, the code has no logic to verify Discord membership. This is a "scareware" tactic used to artificially inflate community numbers and potentially expose users to further malicious downloads or "premium" paid cheats within that Discord.
Intrusiveness: Forcing a browser alert on every page load is a hallmark of low-quality, "annoyance-ware" scripts.
2. Catastrophic Performance & Resource Management
The script is designed to spawn "30+ bots" (multiboxing).
Network Spam: Each bot opens its own WebSocket. Multiplying this by 30+ creates a massive overhead of network traffic.
CPU Hogging: The code uses multiple setInterval loops (some running as fast as every 50ms) for 30 different entities. This will cause significant frame-rate drops (lag) for the user, as the browser’s main thread becomes choked by the constant encoding/decoding of MsgPack data.
Memory Leaks: There is no proper cleanup logic. If a user joins and leaves multiple servers, the WebSocket objects and event listeners will likely persist in memory, eventually crashing the browser tab.
3. Brute-Force "POW" Bypassing
The PowSolver class is a blatant attempt to bypass Moomoo.io’s anti-bot protections.
It uses a "Proof of Work" (Altcha) solver. While the implementation of the hash solver is technically functional, it is used here to automate the creation of "headless" clients. This is the primary reason why IO games suffer from server instability—one user running this script exerts the server load of 30+ players.
4. Poor Coding Standards (Spaghetti Code)
Global Variable Pollution: Variables like placingSpikes, multiboxAlts, and mousePosition are declared in the global scope. This is dangerous because it can easily conflict with the game's native scripts or other browser extensions.
Hardcoded Magic Numbers: The code is littered with "magic numbers" (e.g., upgradeOptions[5] == 23, dirToMove - 2.35619). Without documentation, this is a nightmare to maintain. If the game developer changes a single item ID, the entire script breaks.
Redundant Event Listeners: It adds a keyup and keydown listener to the window object every time the WebSocket is intercepted. If the game reconnects, you end up with multiple layers of listeners firing simultaneously for the same keypress.
5. Insecure "WebSocket Interception"
The script overrides the native window.WebSocket constructor:
code
JavaScript
const originalWebSocket = WebSocket;
window.WebSocket = new Proxy(originalWebSocket, wsInterceptor);
This is a highly invasive technique. By wrapping the WebSocket in a Proxy, the script gains access to every piece of data sent and received by the user. While used here for "cheating," this same pattern is used by credential stealers to sniff passwords or session tokens. Users should never trust a script that proxies their network traffic in this manner.
6. Ruining the Game Ecosystem
From a player-experience perspective, this script is "toxic":
Auto-Heal: It eliminates the skill gap by reacting to damage in 1ms—faster than any human could.
Multiboxing: Controlling 30 bots to swarm a single player makes the game unplayable for everyone else. This leads to declining player counts and, eventually, the death of the game.
The "Moonlight Client" is poorly optimized, ethically bankrupt, and architecturally lazy. It relies on social engineering to grow a Discord server and uses "brute force" programming to overwhelm game servers. It is the digital equivalent of a "smoke machine" in a small room—it might look cool to the person holding it, but it makes the environment unbreathable for everyone else.
The only point mentioned here that breaks greasyfork's rules is the first one, for deceptive behaviour. To fix this issue, I changed the alert message to "join the discord server if you like this script" instead of "join the server or the script won't work". None of the other points mentioned break greasyfork's rules; they may break the game's rules, but they do not break any of greasyfork's rules.
This script has been updated since the report was filed.
This script has had 1 previous upheld or fixed report.
freepentests_on_soundcloud (the reported user) has made:
This report has been upheld by a moderator, but the moderator marked it as Undisclosed <a href="/help/antifeatures">antifeature</a> (e.g. ad, tracking, miner, etc.).
The alert dialog itself can be considered an intrusive ad. Either replace it with an in-page element or add `@antifeature ads`, see https://greasyfork.org/en/help/antifeatures