'web-browserify' Malware Mimics a Legitimate npm Package
Cybercriminals often exploit legitimate resources in an attempt to amplify their attacks or the reach of their operations. One recent campaign has seen the use of this exact strategy. This time, the criminals targeted an online repository used to share JavaScript code and scripts with other software developers. The service in question is the Node Package Manager (npm,) which is a part of GitHub. It is home to numerous helpful scripts and libraries that millions of developers around the world use, and one of these modules is called 'browserify.' It easily racks up tens of thousands of downloads every week, and it is perfectly legitimate – however, the criminals uploaded a fake copy of it called 'web-browserify.' Developers who accidentally downloaded the knock-off version may have unknowingly introduced the so-called 'web-browserify' Malware to their device. It is important to add that this malware affects Mac and Linux systems exclusively, and it is no longer hosted on the npm platform.
'web-browserify' Malware Evades Virtual Environments, and Performs an Odd Destructive Maneuver
The 'web-browserify' Malware has some basic checks to try and avoid virtual environments, which could be used for malware analysis. The full scope of its functionality and goals is not yet clear, and cybersecurity experts note that it tends to exhibit some strange behavior. So far, 'web-browserify' Malware appears to function like a low-quality information stealer, which goes after software and hardware details, device information, usernames, etc. The strange part is that it tries to wipe out the contents of the '/etc/ directory on Linux/Mac directories – it is a core part of these operating systems, and having it wiped out is likely to prevent the system from booting.
Trying to steal small bits of information while trying to break the infected system in the meantime is a strange approach, and it is likely that 'web-browserify' Malware's creators have other plans as well. However, so far, the malware has not exhibited any other behavior. While the malicious npm package is not available any longer, it is likely that the criminals behind the operation will soon explore other malware propagation channels. To keep your Linux and Mac systems safe, you should rely on reputable antivirus software.