Close Menu
  • Academy
  • Events
  • Identity
  • International
  • Inventions
  • Startups
    • Sustainability
  • Tech
  • Spanish
What's Hot

Nigerian teachers lose dozens of relatives and students in catastrophic floods

Birmingham will become World Craft City at WCC International

DOJ seizes 145 domains tied to the BidencashCarding Marketplace of Global Takedown

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Academy
  • Events
  • Identity
  • International
  • Inventions
  • Startups
    • Sustainability
  • Tech
  • Spanish
Fyself News
Home » Malicious NPM packages leverage Unicode Steganography, Google Calendar as C2 Dropper
Identity

Malicious NPM packages leverage Unicode Steganography, Google Calendar as C2 Dropper

userBy userMay 15, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

May 15, 2025Ravi LakshmananMalware/Threat Intelligence

Malicious NPM Packages

Cybersecurity researchers have discovered a malicious package named “OS-INFO-Checker-ES6.” It disguises it as an operating system information utility that secretly drops the next stage payload onto the compromised system.

“The campaign employs clever Unicode-based steganography to hide the first malicious code and uses Google Calendar Event Short Links as the dynamic dropper for the final payload,” Veracode said in a report shared with Hacker News.

“OS-INFO-Checker-ES6” was first published in the NPM registry on March 19, 2025 by a user named “Kim9123”. It has been downloaded 2,001 times at the time of writing. The same user uploaded another NPM package called “Skip-Tot” which lists “OS-INFO-Checker-ES6” as a dependency. The package has been downloaded 94 times.

Cybersecurity

Although the first five versions showed no signs of data delamination or malicious behavior, we found that subsequent iterations uploaded on May 7, 2025 parsed obfuscation code into the “preinstall.js” file, “private use access” and extracted the payload for the next stage.

Malicious code is designed to contact Google Calendar Events Shortlink (“Calendar.App[.]Google/”) decode to a remote server with an IP address using base64 encoded string as title” 140.82.54[.]223. “In other words, Google Calendar is a dead-drop resolver for obfuscating the infrastructure managed by attackers.

Malicious NPM Packages

However, no additional payloads have been distributed at this point. This indicates that the campaign is still in progress or is currently dormant. Another possibility is that it is already concluded, or that the Command and Control (C2) server is designed to respond only to specific machines that meet certain criteria.

“Using legitimate and widely trusted services like Google Calendar as the intermediary hosting the next C2 link is a clever tactic to avoid detection and make the early stages of an attack more difficult,” Veracode said.

Malicious NPM Packages

Application security firms and Aikido, who also detailed the activity, also noted further that the three other packages list “OS-INFO-Checker-ES6” as dependencies, but the dependent packages are suspected to be part of the same campaign.

Vue-dev-serverr vue-dummyy vue-bit

Cybersecurity

“The OS-INFO-Checker-ES6 package represents a sophisticated and evolving threat within the NPM ecosystem,” Veracode said. “The attacker showed the progression from apparent testing to multi-stage malware deployment.”

This disclosure comes when software supply chain security company sockets are highlighted as type coating, cache abuse of GO repository, obfuscation, multi-stage execution, slope-standing, and abuse as six major adversary technologies adopted by threat actors in early 2025.

“To counter this, defenders should focus on behavioral signals such as unexpected post-installation scripts, file overwriting, and incorrect outbound traffic, while verifying third-party packages before use.”

“Static and dynamic analysis, version pinning, and thorough inspection of CI/CD logs are essential to detect malicious dependencies before they reach production.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleBirmingham and West Midlands Convention Bureau Celebration Medical Conference Wins
Next Article sportsbet.io releases 1 million USDT gifts to mark the Champions League finale
user
  • Website

Related Posts

DOJ seizes 145 domains tied to the BidencashCarding Marketplace of Global Takedown

June 5, 2025

Faults in Critical Cisco ISE authentication affect cloud deployments on AWS, Azure, and OCI

June 5, 2025

Google publishes vishing group UNC6040 targeting salesforce with fake data loader app

June 4, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Nigerian teachers lose dozens of relatives and students in catastrophic floods

Birmingham will become World Craft City at WCC International

DOJ seizes 145 domains tied to the BidencashCarding Marketplace of Global Takedown

The results of the Muon G-2 experiment confirm the magnetic abnormality of Muons

Trending Posts

Sana Yousaf, who was the Pakistani Tiktok star shot by gunmen? |Crime News

June 4, 2025

Trump says it’s difficult to make a deal with China’s xi’ amid trade disputes | Donald Trump News

June 4, 2025

Iraq’s Jewish Community Saves Forgotten Shrine Religious News

June 4, 2025

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Nibiru launches a “Block Party” Aura Program to reward actual debt activities

BYDFI and LEDGER LATENCE GLOBAL CAMPAICING LIMTITION BYDFI X LEDGER NANO X

Top 10 Startup and Tech Funding News – June 4, 2025

$Zeus marks his territory: announces IP collaboration with original Zeus artists and trademark holders

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.