The “web-browserify” npm component, now taken down, existed on npm as a .TGZ archive (typical of npm components) with just one version (1.0.0), which is about 27 MB in size.
The “postinstall.js” file simply extracts a mysterious “run.tar.xz” archive (shown above) nested within the “web-browserify” component’s TGZ archive.
The “run.tar.xz” further contains a 64-bit ELF executable called “run,” which is capable of running on both Linux and Mac operating systems.
Executable and Linkable Format (ELF) is a common format for Unix-based executable binaries and libraries.
As evident from line 6 of “package.json” above, the postinstall (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/damaging-linux-mac-malware-bundled-within-browserify-npm-brandjack-attempt