{"id":1026,"date":"2025-05-15T16:31:47","date_gmt":"2025-05-15T13:31:47","guid":{"rendered":"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/"},"modified":"2025-05-15T16:31:47","modified_gmt":"2025-05-15T13:31:47","slug":"detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/","title":{"rendered":"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography"},"content":{"rendered":"<p style=\"text-align:center\"><img decoding=\"async\" alt=\"NPM\" height=\"900\" src=\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2022\/07\/05\/NPM<em>head<\/em>pic.jpg&#8221; width=&#8221;1600&#8243;><\/p>\n<p>A malicious package identified within the Node Package Manager (NPM) repository employs invisible Unicode characters to obscure harmful code, utilizing Google Calendar links to facilitate access to its command-and-control (C2) server.<\/p>\n<p>The package, titled <em>os-info-checker-es6<\/em>, masquerades as an informational utility and has garnered over 1,000 downloads since the start of May.<\/p>\n<p>Security analysts from Veracode, an industry leader in code security assessments, discovered the initial version of the package was uploaded to the NPM index on March 19. This original iteration was non-malicious, merely collecting operational data from the system it was installed on.<\/p>\n<p>Subsequent updates introduced platform-specific binaries and added obfuscation to installation scripts. The most recent iteration, published on May 7, revealed a &#8220;sophisticated C2 mechanism&#8221; capable of delivering the final malicious payload.<\/p>\n<p>At the time of this analysis, version 1.0.8 of &#8216;<a href=\"https:\/\/www.npmjs.com\/package\/os-info-checker-es6\" target=\"<em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>os-info-checker-es6<\/a>&apos; remains active and is classified as malicious by Veracode. Notably, this package is a dependency for four other NPM packages: <a href=\"https:\/\/www.npmjs.com\/package\/skip-tot\" target=\"<\/em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>skip-tot<\/a>, <a href=\"https:\/\/www.npmjs.com\/package\/vue-dev-serverr\" target=\"<em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>vue-dev-serverr<\/a>, <a href=\"https:\/\/www.npmjs.com\/package\/vue-dummyy\" target=\"<\/em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>vue-dummyy<\/a>, and <a href=\"https:\/\/www.npmjs.com\/package\/vue-bit\" target=\"_blank\" rel=\"nofollow noopener\">vue-bit<\/a>, which are presented as accessibility and developer platform engineering tools.<\/p>\n<p>The promotional tactics employed by the threat actor for these packages remain ambiguous.<\/p>\n<h2>Unicode Steganography Explained<\/h2>\n<p>Within the malicious version, the perpetrator concealed data within a seemingly innocuous &#8216;|&#8217; string, which is succeeded by a protracted sequence of invisible Unicode characters sourced from the Variation Selectors Supplement range (U+E0100 to U+E01EF).<\/p>\n<p>These Unicode characters, typically modifiers employed to furnish specific glyph variations in complex scripts, were exploitatively utilized for text-based steganography, adeptly concealing information within other data.<\/p>\n<p>Upon decoding and deobfuscating the string, Veracode unearthed a payload entailing a complex C2 mechanism reliant on a Google Calendar short link directing towards the ultimate payload.<\/p>\n<p>Researchers elucidated that following the retrieval of the Google Calendar link, a series of redirects are assessed until an HTTP 200 OK response is obtained. Subsequently, a <em>data-base-title<\/em> attribute is extracted from the event&#8217;s HTML page, containing a base64-encoded URL that leads to the final payload.<\/p>\n<p>The URL is processed via a function termed <em>ymmogvj<\/em>, enabling the extraction of the malicious payload. Notably, the response body is anticipated to encapsulate a base-encoded stage-2 malware payload, likely accompanied by an initialization vector and a secret key within the HTTP headers, indicating potential encryption of the final payload.<\/p>\n<p>Additionally, Veracode&#8217;s findings indicate that the execution of the payload utilizes the <em>eval().<\/em> method. The script implements a simplistic persistence mechanism within the system&#8217;s temporary directory, ensuring that multiple instances of the malware do not operate concurrently.<\/p>\n<p>As of the time of analysis, researchers were unable to retrieve the final payload, suggesting that the threat campaign might be suspended or in preliminary stages.<\/p>\n<p>Despite Veracode&#8217;s notification of these findings to NPM, the questionable packages remain available on the platform.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>os-info-checker-es6&apos; remains active and is classified as malicious by Veracode. Notably, this package is a dependency for four other NPM&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1027,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[338,339,337],"class_list":["post-1026","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-installation-scripts","tag-temporary-directory","tag-unicode-characters"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography\" \/>\n<meta property=\"og:description\" content=\"os-info-checker-es6&amp;apos; remains active and is classified as malicious by Veracode. Notably, this package is a dependency for four other NPM...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-15T13:31:47+00:00\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"\u062f\u0642\u064a\u0642\u062a\u0627\u0646\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/\",\"url\":\"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/\",\"name\":\"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography.webp\",\"datePublished\":\"2025-05-15T13:31:47+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography.webp\",\"width\":1792,\"height\":1024,\"caption\":\"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography[:] - Trustcrypt","og_description":"os-info-checker-es6&apos; remains active and is classified as malicious by Veracode. Notably, this package is a dependency for four other NPM...","og_url":"https:\/\/trustcrypt.com\/ar\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/","og_site_name":"Trustcrypt","article_published_time":"2025-05-15T13:31:47+00:00","author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"\u062f\u0642\u064a\u0642\u062a\u0627\u0646"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/","url":"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/","name":"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography.webp","datePublished":"2025-05-15T13:31:47+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/detection-evasion-tactics-employed-by-malicious-npm-package-through-unicode-steganography.webp","width":1792,"height":1024,"caption":"Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=1026"}],"version-history":[{"count":0,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1026\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/1027"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=1026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=1026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=1026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}