Sonatype reported a new package on the npm registry that targets NodeJS developers who use Linux and Apple macOS operating systems. The package performs extensive recon activities on infected systems. Its ELF malware component had a zero detection rate by leading antivirus engines, as BeepingComputer reports.
Sonatype is a full-spectrum software supply chain management platform.
The malicious package is called “web-browserify,” and “impersonates” the legitimate Browserify npm component which has been downloaded over 160 million times in its lifetime and is used by over 356,000 GitHub repositories.
This week, Sonatype’s automated malware detection system, Release Integrity, detected “web-browserify” on the npm registry which was deemed malicious by the Sonatype security research team.
In two days, “web-browserify” has been downloaded nearly 50 times before it was removed from npm.
As soon as “web-browserify” is installed by a developer, the scripts request elevated or root permissions.
The package downloads hundreds of legitimate open-source npm components that are later used for malicious activities. One such component, the cross-platform “sudo-prompt” module, prompts the user to grant it root privileges on both macOS and Linux.
Because elevated privileges would be requested almost at the same time “web-browserify” was being installed, the developer may be misled into believing that it is the legitimate installer activity requiring elevated permissions.
Once malware gets elevated permissions, it gains persistence on the system and performs advanced reconnaissance and fingerprinting operations.
It can collect the following information:
- System username
- Operating system information, such as manufacturer/brand
- Bluetooth-connected devices
- Virtual Machines present on the system or if virtualization is enabled
- CPU speed, model, and cores
- RAM size, hard drive capacity, disk layout, system architecture
- Information on Docker images
- Hardware information regarding network cards/interfaces, battery, WiFi, USB devices, etc.
BleepingComputer confirmed they saw some of this fingerprinting information exfiltrated to an attacker-controlled domain.
The malware had a perfect zero score on VirusTotal, at the time of writing.
This may be because it uses genuine software applications to perform its shady activities.
Sonatype says the full extent of capabilities of this malware and its purpose are yet to be determined.