Npm packages conceal macOS malware in ‘travis.yml’ files, drop bogus  “Safari Updates”

Three npm packages identified by Sonatype this week conceal malware in “travis.yml,” a CI/CD build configuration file used by Travis CI. These packages contain metadata, description, and code copied from the legitimate “cli-width” package but instead deploy malicious macOS binary, disguised as “Safari updates.”

These malicious npm packages are:

• tyibyc

• x91yz

• y78b

Analyzed by Sonatype security researchers Carlos Fernández, Raphael Luy, Sebastian Arias Amador, these packages have altogether scored around 114 downloads [1, 2, 3] until they were reported by us to npm and removed by the registry admins.

These packages contain tainted versions of files taken from the legitimate “cli-width” library to covertly drop a suspicious binary on the system they are installed on.

Taking a look at “x91yz,” for example, its manifest file (package.json) runs a “package-lock.js” file as soon as the package is installed. The choice of name, “package-lock” seems intentional on the part of the malicious package author as “package-lock.json” (not .js) files are often used in npm packages to specify an exact, versioned dependency tree.

Note, the metadata contained in the manifest shown below has “author”, “description” and project’s “homepage” fields which are are all representative of the legitimate ‘cli-width’ library and not this malicious package:

Drops a bogus “Safari Update”

The “package-lock.js” contains code taken from “cli-width” which has been modified on lines 40-43. On these lines, we see the code creating a “~/Library/Application Support/Safari Update” directory on your macOS.

It then copies a bundled “travis.yml” file to this newly created directory, renames it to “updateSafari,” and runs it.

This so-called “travis.yml” file is in fact a Mach-O binary and not plaintext YML configuration files used by Travis CI. The naming convention is, once again, (Read more...)