Article Details

Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper. Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload," Veracode said in a report shared with The Hacker News. "Os-info-checker-es6" was first published in the npm registry on March 19, 2025, by a user named "kim9123." It has been downloaded 2,001 times as of writing. The same user has also uploaded another npm package called "skip-tot" that lists "os-info-checker-es6" as a dependency. The package has been downloaded 94 times. While the initial five versions exhibited no signs of data exfiltration or malicious behavior, a subsequent iteration uploaded on May 7, 2025, has been found to include obfuscated code in the "preinstall.js" file to parse Unicode "Private Use Access" characters and extract a next-stage payload. The malicious code, for its part, is designed to contact a Google Calendar event short link ("calendar.app[.]google/<string>") with a Base64-encoded string as the title, which decodes to a remote server with the IP address "140.82.54[.]223." In other words, Google Calendar is a dead drop resolver to obfuscate the attacker-controlled infrastructure. However, no additional payloads are distributed at this point. This either indicates that the campaign is either still a work in progress, or currently dormant. Another possibility is that it has already concluded, or that the command-and-control (C2) server is designed to respond only to specific machines that meet certain criteria. "This use of a legitimate, widely trusted service like Google Calendar as an intermediary to host the next C2 link is a clever tactic to evade detection and make blocking the initial stages of the attack more difficult," Veracode said. The application security company and Aikido, which also detailed the activity, further noted that three other packages have listed "os-info-checker-es6" as a dependency, although it's suspected that the dependent packages are part of the same campaign - "The os-info-checker-es6 package represents a sophisticated and evolving threat within the npm ecosystem," Veracode said. "The attacker demonstrated a progression from apparent testing to deploying a multi-stage malware." The disclosure comes as software supply chain security company Socket highlighted typoquatting, Go repository caching abuse, obfuscation, multi-stage execution, slopsquatting, and abuse of legitimate services and developer tools as the six main adversarial techniques adopted by threat actors in the first half of 2025. "To counter this, defenders must focus on behavioral signals, such as unexpected postinstall scripts, file overwrites, and unauthorized outbound traffic, while validating third-party packages before use," security researchers Kirill Boychenko and Philipp Burckhardt said. "Static and dynamic analysis, version pinning, and close inspection of CI/CD logs are essential to detecting malicious dependencies before they reach production."