Hidden Malware — Browserify NPM

Vulnerability Details

Earlier this week a new malicious package was discovered on Java’s npm registry. The malware targets both Linux and macOS operating systems. The package sneakily disguises itself as “web-browserify” to imitate the vastly popular Browserify npm component which gets around 1.3 million weekly downloads and is used by over 356,000 GitHub repositories. “web-browserifty” uses hundreds of legitimate open-source components to perform reconnaissance once its on the system. What is concerning about this package is that it has a zero-detection rate by all leading antivirus engines.

Threat Vector

The only way that web-browserify can get on your device is if you accidently download it. Once it is installed onto the device it executes the run command and asks for elevated or root permissions from the user. Since its disguising itself as a legitimate program many users will give it this permission. Once it gets this permission it will copy itself to /etc/rot1 on a Linux system. From here it will run every time the computer boots. Using the legitimate open source npm component known as systeminformation it will collect the following: System username, OS info, info on Docker images, Bluetooth connected devices, any data on VM’s, CPU speed and model, and Ram size.

Remediation

Since none of the leading antivirus programs can detect this malware (mostly due to its use of legitimate software) you will have to do some investigating. If you have recently downloaded Browserify make sure you have downloaded the right one off the trusted website. If it is on your system make sure to uninstall and install the correct software.

Upon request, the Maryville Cyber Fusion Center can perform a security audit, determining if you are vulnerable to this and suggest or assist with remediation if vulnerabilities exist. Please reach out to cyber@maryville.edu if you have any questions or concerns relating to this vulnerability.