Exploitation of Unicode Steganography in Malicious npm Package for Google Calendar Command and Control Operations

Cybersecurity researchers have identified a malicious package titled “os-info-checker-es6,” masquerading as a utility for operating system information. Its primary function appears to be the stealthy installation of subsequent payloads on compromised systems.

The campaign leverages intricate Unicode-based steganography to conceal its initial malicious code. Furthermore, it employs a Google Calendar event short link serving as a dynamic dropper for its final payload, as detailed in a report shared with The Hacker News.

The “os-info-checker-es6” package first became available in the npm registry on March 19, 2025, uploaded by a user identified as “kim9123.” It has accumulated 2,001 downloads to date. Notably, this same user has released another npm package named “skip-tot,” which lists “os-info-checker-es6” as a dependency and has been downloaded 94 times.

Initially, the first five versions of this package exhibited no signs of malicious behavior or data exfiltration. However, a subsequent version released on May 7, 2025, has been found to contain obfuscated code within the “preinstall.js” file. This code parses Unicode “Private Use Access” characters to extract a next-stage payload.

The malicious code is programmed to reach out to a Google Calendar event short link (formatted as “calendar.app[.]google/”) containing a Base64-encoded string in the title. This string, once decoded, points to a remote server with the IP address “140.82.54[.]223.” Essentially, Google Calendar serves as a dead drop resolver, facilitating the obfuscation of the attacker’s infrastructure.

At present, no additional payloads have been identified. This situation raises questions regarding whether the campaign is still ongoing, currently dormant, or has already concluded. It could also indicate that the command-and-control (C2) server is designed to respond only to specific machines that meet predetermined criteria.

Utilizing a legitimate and trusted service like Google Calendar as a conduit for hosting subsequent C2 links represents a calculated tactic by the attackers to evade detection, complicating efforts to block initial stages of the attack.

The application security firm Veracode, along with Aikido—which detailed similar activities—has noted that three other packages have referenced “os-info-checker-es6” as a dependency. These packages are suspected of being part of the same campaign and include:

– vue-dev-serverr
– vue-dummyy
– vue-bit

Veracode emphasizes that the “os-info-checker-es6” package indicates a sophisticated and evolving threat within the npm ecosystem. The attacker shows a clear progression from initial testing to the deployment of a multi-stage malware framework.

The revelation comes during a period in which software supply chain security company Socket has pointed out adversarial techniques such as typo-squatting, Go repository caching abuse, obfuscation, multi-stage execution, slopsquatting, and the exploitation of legitimate services and developer tools as prevalent threats.

To mitigate these risks, security professionals must focus on behavioral indicators, including unexpected post-install scripts, file overwrites, and unauthorized outbound traffic, while diligently validating third-party packages prior to deployment. Techniques such as static and dynamic analysis, version pinning, and thorough examination of CI/CD logs are essential for identifying malicious dependencies before they enter production environments.