Cybersecurity researchers identified a malicious npm package named 'os-info-checker-es6' that masquerades as a system utility to deliver hidden payloads. Discovered to use Unicode steganography, it streams payloads via Google Calendar links. It was first released in March 2025 and initially appeared benign, but later versions included obfuscated code intended for payload extraction. As of now, it appears the campaign might be inactive or selective in its target, exploiting a trusted platform for evasion.
This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload.
The malicious code, for its part, is designed to contact a Google Calendar event short link with a Base64-encoded string as the title, which decodes to a remote server.
Collection
[
|
...
]