In a recent cybersecurity development, researchers have identified a malicious npm package named os-info-checker-es6, which masquerades as a utility for retrieving operating system information. This package employs sophisticated techniques, including Unicode-based steganography and the use of Google Calendar as a command-and-control (C2) dropper, to deliver secondary payloads to compromised systems.
The package was first published on the npm registry on March 19, 2025, by a user with the handle kim9123. As of now, it has been downloaded 2,001 times. The same user has also uploaded another package named skip-tot, which lists os-info-checker-es6 as a dependency and has been downloaded 94 times.
Initial versions of os-info-checker-es6 appeared benign, exhibiting no signs of malicious behavior. However, a subsequent version uploaded on May 7, 2025, introduced obfuscated code within the preinstall.js file. This code utilizes Unicode Private Use Access characters to conceal and extract a secondary payload.
The extracted malicious code is designed to contact a Google Calendar event short link (calendar.app[.]google/
At this stage, no additional payloads have been distributed, suggesting that the campaign may still be in development, dormant, or that the C2 server is configured to respond only to specific machines meeting certain criteria.
The use of a legitimate service like Google Calendar as an intermediary complicates detection and mitigation efforts, as it blends malicious activity with normal network traffic.
Further analysis revealed that three other packages—vue-dev-serverr, vue-dummyy, and vue-bit—list os-info-checker-es6 as a dependency. It’s suspected that these packages are part of the same malicious campaign.
This incident underscores the evolving sophistication of threats within the npm ecosystem. Attackers are continually refining their methods, employing multi-stage malware and leveraging trusted services to evade detection.
To counter such threats, defenders must focus on behavioral signals, such as unexpected post-install scripts, file overwrites, and unauthorized outbound traffic. Validating third-party packages before use, employing static and dynamic analysis, version pinning, and closely inspecting CI/CD logs are essential practices to detect and prevent malicious dependencies from reaching production environments.
