Over the weekend, Sonatype spotted a rather unique malware sample published to the npm registry, within a day of its release on npm.
The malware exists in the brandjacking npm package called “web-browserify,” and imitates the legitimate “browserify” component
Trusted by hundreds of thousands of NodeJS developers, Browserify receives over 1.3 million weekly downloads on npm alone.
Browserify’s popularity stems from it being an open source JavaScript tool that lets developers write cross-platform, NodeJS-style modules that compile for use in the browser.
But, the malicious package, “web-browserify,” on the other hand abuses legitimate npm components to bundle within itself a malicious, hard-to-detect Linux and Mac executable.
Of note is that the package seems to be specifically designed to target individual NodeJS developers judging from the way it acts once downloaded, and the choice of operating systems it targets.
Malware Runs as Soon as web-browserify is Installed by the Developer
Sonatype’s automated malware detection system, Release Integrity, part of our next-gen Nexus Intelligence, flagged the “web-browserify” npm component for being suspicious over the weekend.
On a closer look, the Sonatype Security Research team confirmed the package as malicious and immediately added it to our data.
The “web-browserify” npm component, now taken down, existed on npm as a .TGZ archive (typical of npm components) with just one version (1.0.0), which is about 27 MB in size.
The “postinstall.js” file simply extracts a mysterious “run.tar.xz” archive (shown above) nested within the “web-browserify” component’s TGZ archive.
The “run.tar.xz” further contains a 64-bit ELF executable called “run,” which is capable of running on both Linux and Mac operating systems.
Executable and Linkable Format (ELF) is a common format for Unix-based executable binaries and libraries.
As evident from line 6 of “package.json” above, the postinstall (Read more...)