Malware Discovered in npm Registry that can Affect Linux

By

Sonatype has discovered a unique malware within the npm registry, called web-browserify.

If you work with npm, you should be warned of a piece of malware that was discovered, called web-browserify. This new piece of malicious software imitates the official Browserify component, which uses a node-style require() to organize browser code and load modules installed by npm. 

This malware, which falls under the label "brandjacking," has been associated with the Browserify component, because of its massive popularity (with over 1.3 million weekly downloads via npm).

As soon as web-browserify is installed, it launches its payload and targets Node.JS developers. This package was only about 27 MB in size and included one version (1.0.0). Within the package is a postinstall.js file that extracts an archive named run.tar.xz, which includes an ELF binary named run (the actual malicious payload). 

Very soon after it was discovered, web-browserify was taken down from the npm repository. That doesn't mean, however, it hasn't been mistakenly installed. To find out if web-browserify was installed on your system, issue the command npm list . If you find the app installed, remove it with the command npm uninstall web-browserify . However, even if you remove the package, the malicious code was probably already launched and you'll need to take other measures. 

To find out more about web-browserify, check out Sonatype's blog about the discovery.

04/15/2021
comments powered by Disqus