Threat actors have been observed weaponizing Google Calendar invites as conduits for malware payload distribution, leveraging a novel obfuscation technique that utilizes a single Unicode character.
Security researchers investigating the npm package os-info-checker-es6 discovered that the package cloaked its malicious operations through the use of unprintable “Private Use Access” Unicode characters and encoded payload delivery sequences with Google Calendar as a pivot point.
Malware Exploits Unicode Obfuscation
The analysis began with suspicions raised about the os-info-checker-es6 package, which shipped without a README and exhibited dubious code patterns from the outset.
Most notably, its preinstall.js script performed an eval(atob(...)) call an immediate red flag, as it means arbitrary code execution from a base64-encoded source.
preinstall.js fileIntriguingly, initial inspections suggested the executed string was simply a ‘|’ symbol.
However, deeper dives into the bytecode revealed the presence of nonstandard Unicode characters specifically designed to be invisible and thus evade casual scrutiny and some static analysis tools.
Reverse engineering the accompanying native Node.js binary (written in Rust) only deepened the mystery, as it lacked any apparent code for system information retrieval-counter to what the package name implied.
Researchers ultimately unearthed the obfuscation’s true intent: the Unicode bytes were transformed by the decode() function into a base64-encoded string, which was then executed.
Early payloads were benign, simply printing “Check” to the console, possibly to test distribution or detection.
However, the real threat emerged with version 1.0.8 of os-info-checker-es6, published on May 7, 2025.
Here, the obfuscated string grew longer, and after decoding, it revealed a multi-stage malware loader.
This loader first contacted a Google-hosted Calendar invite page at https://calendar.app.google/t56nfUUcugH9ZUkx9.
The calendar event’s title field contained a base64-encoded URL pointing to the true malicious JavaScript payload, which resided on the attacker’s infrastructure at http://140.82.54[.]223/2VqhA0lcH6ttO5XZEcFnEA%3D%3D.
Node.js Package Chain Targeted
The loader handled redirects, extracted the payload URL from a custom data-base-title attribute in the event, and then fetched the actual malware.
The process was designed for resilience: it used single-instance locks, error logging, and retry loops to keep attempting payload execution, ensuring persistence across failures and system restarts.
Alarmingly, this attack chain did not require user interaction beyond the installation of a compromised npm package, capitalizing on the trust placed in open-source dependencies and the ubiquity of Google’s infrastructure for intermediate payload delivery and staging.
Further investigation revealed that the attacker published several similarly trojanized packages, including skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit, all of which surreptitiously depended on os-info-checker-es6 yet did not trigger its decoder function-suggesting the campaign was still in reconnaissance or deployment-testing phases.
The campaign stands out for both its technical ingenuity and its bold use of mainstream cloud services as C2 channels.
By hiding data in unprintable Unicode and staging payload handoffs through Google Calendar, the attackers created a highly evasive and flexible malware delivery system.
However, this unusual complexity only drew more attention, enabling security teams to rapidly identify and block the involved assets.
Indicators of Compromise (IOC)
| Type | Indicator | Description |
|---|---|---|
| Package | os-info-checker-es6 | Primary malicious npm package |
| Package | skip-tot | Secondary trojanized package |
| Package | vue-dev-serverr | Secondary trojanized package |
| Package | vue-dummyy | Secondary trojanized package |
| Package | vue-bit | Secondary trojanized package |
| IP | 140.82.54[.]223 | Attacker’s C2 server |
| URL | https://calendar.app[.]google/t56nfUUcugH9ZUkx9 | Google Calendar event used as payload stage |
| URL | http://140.82.54[.]223/2VqhA0lcH6ttO5XZEcFnEA%3D%3D | Payload delivery endpoint |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
