Cybersecurity researchers have identified a malicious package titled “os-info-checker-es6,” masquerading as a utility for operating system information. Its primary function appears to be the stealthy installation of subsequent payloads on compromised systems.<\/p>\n
The campaign leverages intricate Unicode-based steganography to conceal its initial malicious code. Furthermore, it employs a Google Calendar event short link serving as a dynamic dropper for its final payload, as detailed in a report shared with The Hacker News.<\/p>\n
The “os-info-checker-es6” package first became available in the npm registry on March 19, 2025, uploaded by a user identified as “kim9123.” It has accumulated 2,001 downloads to date. Notably, this same user has released another npm package named “skip-tot,\u201d which lists “os-info-checker-es6” as a dependency and has been downloaded 94 times.<\/p>\n
Initially, the first five versions of this package exhibited no signs of malicious behavior or data exfiltration. However, a subsequent version released on May 7, 2025, has been found to contain obfuscated code within the “preinstall.js” file. This code parses Unicode “Private Use Access” characters to extract a next-stage payload.<\/p>\n
The malicious code is programmed to reach out to a Google Calendar event short link (formatted as “calendar.app[.]google\/”) containing a Base64-encoded string in the title. This string, once decoded, points to a remote server with the IP address “140.82.54[.]223.” Essentially, Google Calendar serves as a dead drop resolver, facilitating the obfuscation of the attacker\u2019s infrastructure.<\/p>\n
At present, no additional payloads have been identified. This situation raises questions regarding whether the campaign is still ongoing, currently dormant, or has already concluded. It could also indicate that the command-and-control (C2) server is designed to respond only to specific machines that meet predetermined criteria.<\/p>\n
Utilizing a legitimate and trusted service like Google Calendar as a conduit for hosting subsequent C2 links represents a calculated tactic by the attackers to evade detection, complicating efforts to block initial stages of the attack.<\/p>\n
The application security firm Veracode, along with Aikido\u2014which detailed similar activities\u2014has noted that three other packages have referenced “os-info-checker-es6” as a dependency. These packages are suspected of being part of the same campaign and include:<\/p>\n
– vue-dev-serverr
\n– vue-dummyy
\n– vue-bit<\/p>\n
Veracode emphasizes that the “os-info-checker-es6” package indicates a sophisticated and evolving threat within the npm ecosystem. The attacker shows a clear progression from initial testing to the deployment of a multi-stage malware framework.<\/p>\n
The revelation comes during a period in which software supply chain security company Socket has pointed out adversarial techniques such as typo-squatting, Go repository caching abuse, obfuscation, multi-stage execution, slopsquatting, and the exploitation of legitimate services and developer tools as prevalent threats.<\/p>\n
To mitigate these risks, security professionals must focus on behavioral indicators, including unexpected post-install scripts, file overwrites, and unauthorized outbound traffic, while diligently validating third-party packages prior to deployment. Techniques such as static and dynamic analysis, version pinning, and thorough examination of CI\/CD logs are essential for identifying malicious dependencies before they enter production environments.<\/p>\n","protected":false},"excerpt":{"rendered":"
Cybersecurity researchers have identified a malicious package titled “os-info-checker-es6,” masquerading as a utility for operating system information. Its primary function…<\/p>\n","protected":false},"author":1,"featured_media":1025,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[336,124,335],"class_list":["post-1024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-calendar-link","tag-npm-package","tag-obfuscated-code"],"acf":[],"yoast_head":"\n