Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Critical Open VSX Registry Flaws expose millions of developers to supply chain attacks

Jeff Bezos reportedly courts Trump after his release with Musk

People use AI for much less dating than we have been led to believe

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Malicious NPM packages leverage Unicode Steganography, Google Calendar as C2 Dropper
Identity

Malicious NPM packages leverage Unicode Steganography, Google Calendar as C2 Dropper

userBy userMay 15, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

May 15, 2025Ravi LakshmananMalware/Threat Intelligence

Malicious NPM Packages

Cybersecurity researchers have discovered a malicious package named “OS-INFO-Checker-ES6.” It disguises it as an operating system information utility that secretly drops the next stage payload onto the compromised system.

“The campaign employs clever Unicode-based steganography to hide the first malicious code and uses Google Calendar Event Short Links as the dynamic dropper for the final payload,” Veracode said in a report shared with Hacker News.

“OS-INFO-Checker-ES6” was first published in the NPM registry on March 19, 2025 by a user named “Kim9123”. It has been downloaded 2,001 times at the time of writing. The same user uploaded another NPM package called “Skip-Tot” which lists “OS-INFO-Checker-ES6” as a dependency. The package has been downloaded 94 times.

Cybersecurity

Although the first five versions showed no signs of data delamination or malicious behavior, we found that subsequent iterations uploaded on May 7, 2025 parsed obfuscation code into the “preinstall.js” file, “private use access” and extracted the payload for the next stage.

Malicious code is designed to contact Google Calendar Events Shortlink (“Calendar.App[.]Google/”) decode to a remote server with an IP address using base64 encoded string as title” 140.82.54[.]223. “In other words, Google Calendar is a dead-drop resolver for obfuscating the infrastructure managed by attackers.

Malicious NPM Packages

However, no additional payloads have been distributed at this point. This indicates that the campaign is still in progress or is currently dormant. Another possibility is that it is already concluded, or that the Command and Control (C2) server is designed to respond only to specific machines that meet certain criteria.

“Using legitimate and widely trusted services like Google Calendar as the intermediary hosting the next C2 link is a clever tactic to avoid detection and make the early stages of an attack more difficult,” Veracode said.

Malicious NPM Packages

Application security firms and Aikido, who also detailed the activity, also noted further that the three other packages list “OS-INFO-Checker-ES6” as dependencies, but the dependent packages are suspected to be part of the same campaign.

Vue-dev-serverr vue-dummyy vue-bit

Cybersecurity

“The OS-INFO-Checker-ES6 package represents a sophisticated and evolving threat within the NPM ecosystem,” Veracode said. “The attacker showed the progression from apparent testing to multi-stage malware deployment.”

This disclosure comes when software supply chain security company sockets are highlighted as type coating, cache abuse of GO repository, obfuscation, multi-stage execution, slope-standing, and abuse as six major adversary technologies adopted by threat actors in early 2025.

“To counter this, defenders should focus on behavioral signals such as unexpected post-installation scripts, file overwriting, and incorrect outbound traffic, while verifying third-party packages before use.”

“Static and dynamic analysis, version pinning, and thorough inspection of CI/CD logs are essential to detect malicious dependencies before they reach production.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleBirmingham and West Midlands Convention Bureau Celebration Medical Conference Wins
Next Article sportsbet.io releases 1 million USDT gifts to mark the Champions League finale
user
  • Website

Related Posts

Critical Open VSX Registry Flaws expose millions of developers to supply chain attacks

June 26, 2025

Critical RCE flaws in Cisco ISE and ISE-PIC allow uncertified attackers to gain root access

June 26, 2025

The new filefix method appears as a threat following a 517% increase in clickfix attacks

June 26, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Critical Open VSX Registry Flaws expose millions of developers to supply chain attacks

Jeff Bezos reportedly courts Trump after his release with Musk

People use AI for much less dating than we have been led to believe

YouTube adds Carousel search results like AI overview

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

The Digital Twin Revolution: Reshaping Industry 4.0

1-inch rollout expanded bug bounty features rewards up to $500,000

PhysicsX raises $135 million to bring AI-first engineering to aerospace, automobiles and energy

Deadline approach to speaker proposals for OpenSSL Conference 2025 held in Prague

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.