Might 15, 2025Ravie LakshmananMalware / Menace Intelligence
Cybersecurity researchers have found a malicious bundle named “os-info-checker-es6” that disguises itself as an working system info utility to stealthily drop a next-stage payload onto compromised techniques.
“This marketing campaign employs intelligent Unicode-based steganography to cover its preliminary malicious code and makes use of a Google Calendar occasion quick hyperlink as a dynamic dropper for its last payload,” Veracode mentioned in a report shared with The Hacker Information.
“Os-info-checker-es6” was first printed within the npm registry on March 19, 2025, by a consumer named “kim9123.” It has been downloaded 2,001 instances as of writing. The identical consumer has additionally uploaded one other npm bundle known as “skip-tot” that lists “os-info-checker-es6” as a dependency. The bundle has been downloaded 94 instances.
Whereas the preliminary 5 variations exhibited no indicators of information exfiltration or malicious habits, a subsequent iteration uploaded on Might 7, 2025, has been discovered to incorporate obfuscated code within the “preinstall.js” file to parse Unicode “Non-public Use Entry” characters and extract a next-stage payload.
The malicious code, for its half, is designed to contact a Google Calendar occasion quick hyperlink (“calendar.app[.]google/<string>”) with a Base64-encoded string because the title, which decodes to a distant server with the IP handle “140.82.54[.]223.” In different phrases, Google Calendar is a lifeless drop resolver to obfuscate the attacker-controlled infrastructure.
Nevertheless, no extra payloads are distributed at this level. This both signifies that the marketing campaign is both nonetheless a piece in progress, or presently dormant. One other chance is that it has already concluded, or that the command-and-control (C2) server is designed to reply solely to particular machines that meet sure standards.
“This use of a professional, broadly trusted service like Google Calendar as an middleman to host the subsequent C2 hyperlink is a intelligent tactic to evade detection and make blocking the preliminary phases of the assault tougher,” Veracode mentioned.
The applying safety firm and Aikido, which additionally detailed the exercise, additional famous that three different packages have listed “os-info-checker-es6” as a dependency, though it is suspected that the dependent packages are a part of the identical marketing campaign –
vue-dev-serverr
vue-dummyy
vue-bit
“The os-info-checker-es6 bundle represents a classy and evolving menace inside the npm ecosystem,” Veracode mentioned. “The attacker demonstrated a development from obvious testing to deploying a multi-stage malware.”
The disclosure comes as software program provide chain safety firm Socket highlighted typoquatting, Go repository caching abuse, obfuscation, multi-stage execution, slopsquatting, and abuse of professional providers and developer instruments because the six fundamental adversarial methods adopted by menace actors within the first half of 2025.
“To counter this, defenders should concentrate on behavioral alerts, comparable to sudden postinstall scripts, file overwrites, and unauthorized outbound visitors, whereas validating third-party packages earlier than use,” safety researchers Kirill Boychenko and Philipp Burckhardt mentioned.
“Static and dynamic evaluation, model pinning, and shut inspection of CI/CD logs are important to detecting malicious dependencies earlier than they attain manufacturing.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
