Cybersecurity researchers have discovered a malicious package named “OS-INFO-Checker-ES6.” It disguises it as an operating system information utility that secretly drops the next stage payload onto the compromised system.
“The campaign employs clever Unicode-based steganography to hide the first malicious code and uses Google Calendar Event Short Links as the dynamic dropper for the final payload,” Veracode said in a report shared with Hacker News.
“OS-INFO-Checker-ES6” was first published in the NPM registry on March 19, 2025 by a user named “Kim9123”. It has been downloaded 2,001 times at the time of writing. The same user uploaded another NPM package called “Skip-Tot” which lists “OS-INFO-Checker-ES6” as a dependency. The package has been downloaded 94 times.
Although the first five versions showed no signs of data delamination or malicious behavior, we found that subsequent iterations uploaded on May 7, 2025 parsed obfuscation code into the “preinstall.js” file, “private use access” and extracted the payload for the next stage.
Malicious code is designed to contact Google Calendar Events Shortlink (“Calendar.App[.]Google/”) decode to a remote server with an IP address using base64 encoded string as title” 140.82.54[.]223. “In other words, Google Calendar is a dead-drop resolver for obfuscating the infrastructure managed by attackers.
However, no additional payloads have been distributed at this point. This indicates that the campaign is still in progress or is currently dormant. Another possibility is that it is already concluded, or that the Command and Control (C2) server is designed to respond only to specific machines that meet certain criteria.
“Using legitimate and widely trusted services like Google Calendar as the intermediary hosting the next C2 link is a clever tactic to avoid detection and make the early stages of an attack more difficult,” Veracode said.
Application security firms and Aikido, who also detailed the activity, also noted further that the three other packages list “OS-INFO-Checker-ES6” as dependencies, but the dependent packages are suspected to be part of the same campaign.
Vue-dev-serverr vue-dummyy vue-bit
“The OS-INFO-Checker-ES6 package represents a sophisticated and evolving threat within the NPM ecosystem,” Veracode said. “The attacker showed the progression from apparent testing to multi-stage malware deployment.”
This disclosure comes when software supply chain security company sockets are highlighted as type coating, cache abuse of GO repository, obfuscation, multi-stage execution, slope-standing, and abuse as six major adversary technologies adopted by threat actors in early 2025.
“To counter this, defenders should focus on behavioral signals such as unexpected post-installation scripts, file overwriting, and incorrect outbound traffic, while verifying third-party packages before use.”
“Static and dynamic analysis, version pinning, and thorough inspection of CI/CD logs are essential to detect malicious dependencies before they reach production.”
Source link
