Linux, MacOS Malware Hidden in Fake Browserify NPM Package

 

Over the course of the weekend, Sonatype's automated malware detection system spotted a serious exceptional malware sample published to the NPM registry. NodeJS engineers working with Linux and Apple macOS operating systems were targeted by a brand-new malicious package recognized on the NPM (Node Package Manager) registry. The malignant package, named "web-browserify" looks like the well-known Browserify NPM component which has been downloaded in excess of 160 million times all through its lifecycle, with over 1.3 million weekly downloads on NPM alone, being utilized by 356,000 GitHub repositories. 

Evidently, the malignant component has been downloaded around 50 times before it was taken out from the NPM within two days of its publishing. The package, made by a pseudonymous creator portraying themselves to be Steve Jobs, consolidates many approved open-source components and executes extensive surveillance actions on a contaminated system. Besides, up to this point, none of the main antivirus engines had the option to identify the ELF malware contained with the component. The way that it utilizes genuine software applications to perform dubious exercises could be one of the reasons. 

Browserify's fame comes from it being an open-source JavaScript instrument that permits developers to write cross-platform, NodeJS-style modules that gather for use in the browser. The distinction between the authentic Browserify and the phony one is that the latter abuses legitimate NPM components to bundle inside a malicious, hard to notice Linux and Mac executable. 

The malignant bundle incorporates a manifest file, package.json, a postinstall.js script, and an ELF executable called "run" existing in a compressed archive, run.tar.xz inside the npm component. When a developer is installing the package, the scripts pull out and start the "run" Linux binary from the archive, which demands elevated or root permissions from the user. The extracted "run" binary is immense, around 120 MB in size, and bundles inside itself hundreds of legitimate NPM components. The malware is made totally from open source components and uses these genuine components to organize its extensive surveillance activities. 

The cross-platform “sudo-prompt” module is one of these components and is used by "run" to provoke the client into permitting the malware root privileges on both macOS and Linux distributions.