Malicious NPM Package Uses Unicode Steganography to Evade Detection
Summary:
A recent investigation uncovered a sophisticated malware campaign delivered through an npm package named os-info-checker-es6. Initially appearing to be a benign utility for retrieving operating system information, the package concealed a multi-stage attack framework that evolved over time. Early versions of the package, first published on March 19, 2025, appeared harmless, containing standard preinstall scripts and functions to log system data. However, on March 22–23, several new versions introduced platform-specific compiled modules and obfuscated JavaScript, marking a significant shift in behavior.
The updated preinstall.js script employed a unique technique of Unicode-based steganography to hide malicious code. Specifically, it used invisible Unicode variation selectors from the Supplementary Special Purpose Plane to encode data within what appeared to be a simple vertical bar character. These characters were processed by a decode function from a binary module, producing a Base64 string that was then decoded and executed using JavaScript’s eval() function. Upon analysis, this obfuscation was found to be a form of steganographic encoding using the low byte of these selectors, revealed through a shift cipher.
The attack escalated further in version 1.0.8, published on May 7, 2025. The updated code fetched a short link to a Google Calendar event, scraped a Base64-encoded URL from the event’s metadata, then retrieved and executed a secondary payload from an external server. This implementation acted as a dynamic dropper using Google Calendar infrastructure, enabling flexible command-and-control (C2) redirection while evading detection mechanisms. This technique closely resembles a previously known proof-of-concept called Google Calendar RAT, though in this case, the calendar is used to host stage-two download links rather than for persistent C2.
Security Officer Comments:
At the time of analysis, the command server returned a benign payload instructing the process to exit, which could indicate a dormant phase or anti-analysis detection. Nonetheless, the package had already been downloaded over 650 times per week and was listed as a dependency in four other suspicious npm packages. The original uploader, kim9123, also published skip-tot, while the others were posted by similarly named accounts, suggesting a coordinated campaign leveraging dormant dependencies to widen distribution and embed malicious functionality covertly.
Suggested Corrections:
https://www.bleepingcomputer.com/ne...ses-unicode-steganography-to-evade-detection/
A recent investigation uncovered a sophisticated malware campaign delivered through an npm package named os-info-checker-es6. Initially appearing to be a benign utility for retrieving operating system information, the package concealed a multi-stage attack framework that evolved over time. Early versions of the package, first published on March 19, 2025, appeared harmless, containing standard preinstall scripts and functions to log system data. However, on March 22–23, several new versions introduced platform-specific compiled modules and obfuscated JavaScript, marking a significant shift in behavior.
The updated preinstall.js script employed a unique technique of Unicode-based steganography to hide malicious code. Specifically, it used invisible Unicode variation selectors from the Supplementary Special Purpose Plane to encode data within what appeared to be a simple vertical bar character. These characters were processed by a decode function from a binary module, producing a Base64 string that was then decoded and executed using JavaScript’s eval() function. Upon analysis, this obfuscation was found to be a form of steganographic encoding using the low byte of these selectors, revealed through a shift cipher.
The attack escalated further in version 1.0.8, published on May 7, 2025. The updated code fetched a short link to a Google Calendar event, scraped a Base64-encoded URL from the event’s metadata, then retrieved and executed a secondary payload from an external server. This implementation acted as a dynamic dropper using Google Calendar infrastructure, enabling flexible command-and-control (C2) redirection while evading detection mechanisms. This technique closely resembles a previously known proof-of-concept called Google Calendar RAT, though in this case, the calendar is used to host stage-two download links rather than for persistent C2.
Security Officer Comments:
At the time of analysis, the command server returned a benign payload instructing the process to exit, which could indicate a dormant phase or anti-analysis detection. Nonetheless, the package had already been downloaded over 650 times per week and was listed as a dependency in four other suspicious npm packages. The original uploader, kim9123, also published skip-tot, while the others were posted by similarly named accounts, suggesting a coordinated campaign leveraging dormant dependencies to widen distribution and embed malicious functionality covertly.
Suggested Corrections:
- Audit dependencies regularly: Perform thorough code and dependency audits using tools to identify packages with unusual behaviors or recent obfuscation.
- Use package allowlists: Limit installation to vetted and approved npm packages by using internal registries or allowlists, especially in CI/CD environments.
- Scan for Unicode anomalies: Implement static analysis tools to detect suspicious Unicode sequences, especially invisible characters used for steganography
- Restrict outbound connections: Enforce network restrictions during build and install phases to prevent external calls from malicious packages.
- Use environment isolation: Run builds in sandboxed or containerized environments with limited system and network access to reduce the impact of malicious package execution.
- Report and remove malicious packages: Promptly report suspicious packages to the npm security team and remove them from your codebase. Avoid depending on packages with unclear authorship or recent sudden updates.
- Educate developers: Train developers to identify red flags in open-source packages, such as recently created accounts, lack of documentation, or sudden functionality changes.
https://www.bleepingcomputer.com/ne...ses-unicode-steganography-to-evade-detection/