A newly discovered, highly sophisticated malware campaign has been uncovered within the npm ecosystem, centering on a trojanized package named os-info-checker-es6.
This package initially masqueraded as a harmless OS information utility, but subsequent analysis has revealed a multi-stage attack using advanced technical subterfuge.
The attack demonstrates a marked escalation in threat actor tactics targeting open source software supply chains, blending Unicode-based steganography and cloud service abuse for covert command and control (C2).
Evolution from Benign to Stealthy Loader
Early versions of os-info-checker-es6 appeared innocuous, performing routine OS queries (such as platform, release, and architecture) and simple file writes during install hooks, with no indication of malicious behavior.
However, a rapid evolution began with new releases between March 22 and 23, which introduced platform-specific native Node.js binaries and a markedly altered install script.
The new preinstall logic subtly leveraged a decode function imported from a platform-tailored .node binary and operated on what appeared to be a trivial vertical bar character.
Further inspection, using binary analysis and Unicode investigation, revealed that this “bar” was followed by a dense sequence of invisible Unicode variation selectors from the Supplementary Special Purpose Plane (U+E0100–U+E01EF).
These non-spacing marks, invisible in plain text, were used to encode data via low-byte steganography-an obfuscation technique not commonly observed in npm malware.
Reverse engineering determined that each Unicode code point stored a single byte of data in its low byte.
By shifting these values, researchers exposed a Base64-encoded string, yielding benign code in initial versions (“console.log(‘Check’);”), which primed the loader infrastructure without raising immediate suspicion.
Abuse of Google Calendar for C2
The most significant escalation arrived with version 1.0.8, published on May 7. The ‘invisible’ steganographic string had grown substantially, and deobfuscation revealed a network-centric loader. The new payload performed the following:
- Contacted a Google Calendar short link (
https://calendar.app.google/t56nfUUcugH9ZUkx9) as its indirect C2. - Utilized custom redirect and scraping logic to extract a
data-base-titleattribute from the final event page, which held a Base64-encoded second-stage URL. - Fetched the second-stage payload from this dynamically recovered URL, optionally handling encrypted data with IV and secret key headers.
- Persisted execution state by creating a lock file in the OS temp directory and implemented retry logic for reliability and evasion.
At the time of analysis, the C2 endpoint responded only with a benign payload (“process.exit(0)”), potentially indicating a dormant campaign, C2 teardown, or anti-analysis detection.
Notably, the use of a legitimate Google Calendar event as an intermediary dropper both complicates detection and leverages trust in mainstream cloud infrastructure.
According to VeraCode, this blending of Unicode steganography for initial loader delivery with cloud-based dynamic C2 mirrors proof-of-concept research (notably GCR: Google Calendar Rat), but adapts it specifically for npm-based distribution, creating significant challenges for defenders.
As of this writing, os-info-checker-es6 registered approximately 655 weekly downloads and has been adopted as a dependency by four other packages-skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit.
Attribution is ongoing, but cross-linked npm user activity and publication patterns suggest a coordinated campaign, with dormant packages potentially awaiting future activation.
This campaign exemplifies the growing complexity of software supply chain attacks, combining novel Unicode steganography, binary obfuscation, and cloud-based C2 in a single npm package.
It underscores the imperative for developers to rigorously vet dependencies-especially those employing install scripts or native modules-and for ecosystem stewards to enhance monitoring of publication patterns and installation behaviors.
The package and its variants have been reported to npm’s security team, but the evolving tactics on display highlight the need for ongoing vigilance and technical scrutiny within the open source community.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
