The malware was listed on the database as “web-browserify”, in imitation of the popular Browserify component, which has been downloaded upwards of 160 million times since launch.
Linux and macOS malware
Analysis conducted by Sonatype revealed the web-browserify package had been created by stitching together hundreds of different open source components, all of which are legitimate when taken in isolation.
Once downloaded, the package extracts and runs an ELF malware executable, elevating the attacker’s privileges and laying the foundations for all manner of surveillance activities. The data types harvested by the malware include OS information, VMs present on the system, Docker images, connected bluetooth devices and various data points on the device hardware.
The malware is also able to gain persistence on Linux, building itself into the startup process that activates whenever a device is switched on.
Although the malware threat was detected relatively early, having accrued only 50 downloads, researchers found it had an alarming ability to bypass security measures. At the time of writing, the ELF malware smuggled in the malicious package has a zero detection rate among all leading antivirus software.
The chaining together of legitimate software for illegitimate purposes is thought to have allowed the malware to evade detection so successfully.
The web-browserify package has since been removed from the npm registry, but sets a precedent that could inform future attacks of this kind.