Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication
A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign embedded within the seemingly innocuous package os-info-checker-es6.
First published on March 19, 2025, with initial versions appearing benign, the package rapidly evolved into a complex threat.
Early iterations focused on gathering basic OS information, but subsequent updates between March 22-23 introduced platform-specific compiled Node.js modules and intricate obfuscation techniques.
Multi-Stage Malware Unveiled
By version 1.0.6, the preinstall script began employing Unicode-based steganography, hiding malicious payloads in invisible variation selector characters from the Supplementary Special Purpose Plane.
These characters, lacking visible glyphs, were decoded using binary modules into Base64 strings, which were then executed via eval(), showcasing a clever evasion tactic to bypass traditional detection mechanisms.
According to VeraCode Report, this progression from harmless utility to covert loader underscores the stealth and adaptability of the attacker’s approach.
The threat escalated further with version 1.0.8, released on May 7, 2025, where os-info-checker-es6 integrated a novel command-and-control (C2) mechanism utilizing Google Calendar short links.
The malware’s script fetched a specific_calendar event URL, scraped a Base64-encoded link from the data-base-title attribute, and followed it to retrieve the next-stage payload.
This payload, also Base64-encoded, was executed directly, with headers potentially carrying encryption parameters like IV and secret keys, though not fully implemented in the observed sample.
Google Calendar as a Resilient C2 Dropper
The use of Google Calendar as an intermediary dropper is a cunning move, leveraging a trusted platform to evade blacklisting and complicate early-stage blocking efforts.
Reminiscent of the Google Calendar RAT proof-of-concept, this tactic repurposes legitimate infrastructure for malicious intent, fetching dynamic payloads from a secondary C2 server (observed at http://140.82.54.223/...), which appeared dormant or guarded by anti-analysis checks during investigation.
The script also featured retry logic, error handling, and a persistence lock file in the temp directory, ensuring resilience against disruptions.
This attack’s impact is amplified by its reach within the npm ecosystem, with os-info-checker-es6 garnering 655 weekly downloads and serving as a dependency for four other packages-skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit.
Published by users with suspiciously aligned naming patterns, including kim9123 who authored both the malware and skip-tot, these dependents hint at a broader malicious network, possibly lying dormant since before the malware’s activation.
This supply chain threat exemplifies the growing sophistication of attackers targeting open-source repositories, combining advanced steganography, compiled binaries, and trusted service abuse.
Prior to public disclosure, the issue was reported to npm’s security team for mitigation.
Developers are urged to scrutinize dependencies, especially those with install hooks or native modules, as this campaign highlights the urgent need for vigilance in an increasingly complex threat landscape.