CyberSecurityBoard
Sponsor Register Login

Malicious npm package using steganography downloaded by hundreds

Researchers at Veracode, a code security assessment company, found that the first version of the package was added to the Node Package Manager (NPM) index on March 19 and was benign, as it only collected operating system information from the host. Veracode decoded and deobfuscated the string to find a payload for a sophisticated C2 mechanism that relied on a Google Calendar short link to reach the location hosting the final payload. A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location. On May 7, a new version of the package was published, which featured code for "a sophisticated C2 (command-and-control) mechanism" that delivers the final payload. The researchers say that the request expects a base- encoded stage-2 malware payload in the response body, and likely an initialization vector and a secret key in the HTTP headers - an indication of possible encryption of the final payload. These Unicode characters are normally modifiers, typically used "to provide specific glyph variations in complex scripts." In this case, their role is to facilitate text-based steganography - hiding information in other data. Furthermore, the package is listed as a dependency for four other NPM packages: skip-tot, vue-dev-serverr, vue-dummyy, and 'vue-bit - all pose as accessibility and developer platform engineering tools. At the time of analysis, the researchers could not retrieve the final payload, suggesting that the campaign could be on hold or still in an early stage. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The package, named os-info-checker-es6, appears as an information utility and has been downloaded more than 1,000 times since the beginning of the month. Using a function called ymmogvj, the URL is decoded to get a malware payload.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 15 May 2025 13:34:53 +0000


Cyber News related to Malicious npm package using steganography downloaded by hundreds

Malicious npm package using steganography downloaded by hundreds - Researchers at Veracode, a code security assessment company, found that the first version of the package was added to the Node Package Manager (NPM) index on March 19 and was benign, as it only collected operating system information from the host. ...
9 hours ago Bleepingcomputer.com
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
1 year ago Bleepingcomputer.com
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
1 month ago Cybersecuritynews.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
1 month ago Bleepingcomputer.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
2 months ago Cybersecuritynews.com Lazarus Group
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
1 year ago Imperva.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
11 months ago Securitylabs.datadoghq.com
Ripple XPRL Official NPM Package Hijacked To Inject Private Key Stealing Malware - “This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem,” warned Charlie Eriksen, a malware researcher at Aikido Security. The ...
3 weeks ago Cybersecuritynews.com
CVE-2022-29244 - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of ...
2 years ago
WinRAR 7.10 boosts Windows privacy by stripping MoTW data - This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded. Modern file archives will propagate the MoTW found in archives to ...
2 months ago Bleepingcomputer.com
CVE-2021-43616 - ** DISPUTED ** The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier ...
2 years ago
CVE-2024-23633 - Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to ...
1 year ago
New Stego Campaign Leverages MS Office Vulnerability to Deliver AsyncRAT - Cybersecurity researchers have discovered a sophisticated malware campaign that employs steganography techniques to hide malicious code within seemingly innocent image files. This attack chain leverages an older Microsoft Office vulnerability ...
3 weeks ago Cybersecuritynews.com CVE-2017-0199
North Korean Lazarus hackers infect hundreds via npm packages - The packages contain malicious code designed to steal sensitive information, such as cryptocurrency wallets and browser data that contains stored passwords, cookies, and browsing history. The packages, which have been downloaded 330 times, are ...
2 months ago Bleepingcomputer.com
CVE-2021-39135 - `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents ...
2 years ago
CVE-2023-26154 - Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; ...
1 year ago Tenable.com
Threat Actors Hijack Legitimate Crypto Packages to Inject Malicious Code - The attack specifically targets users of Atomic and Exodus wallets, hijacking transactions by injecting malicious code that redirects funds to attacker-controlled addresses. Once installed, the package examines the user’s system for installed ...
1 month ago Cybersecuritynews.com
CVE-2021-39134 - `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package ...
2 years ago
Carding tool abusing WooCommerce API downloaded 34K times on PyPI - "This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket. A newly discovered ...
1 month ago Bleepingcomputer.com
Google Axes Staff In Assistant, Hardware, Engineering - Hundreds of job losses at Google, as staff are handed marching orders across multiple teams, amid exit of FitBit co-founders. Alphabet's Google is handing down bad news to hundreds of its staff this week, after confirming another tranche of job ...
1 year ago Silicon.co.uk
New Supply Chain Attack Targets Legitimate npm Package with 45,000 Weekly Downloads - Upon analysis, the malicious payload was identified as a sophisticated Remote Access Trojan (RAT) dubbed “RATatouille” due to its capability to hide among legitimate code while establishing persistence. Security analysis reveals the ...
6 days ago Cybersecuritynews.com
Malicious PyPi package hides RAT malware, targets Discord devs since 2022 - The attackers could use the malware to gain unauthorized access to credentials and more (e.g., tokens, keys, and config files), steal data and monitor system activity without being detected, remotely execute code for deploying further ...
1 week ago Bleepingcomputer.com
Hackers Using Weaponized PDF To Deliver Remcos RAT Malware on Windows - The campaign leverages a deceptive fake payment notice disguised as a SWIFT copy to trick victims into downloading a malicious PDF, ultimately leading to the deployment of the remote access trojan (RAT). The PowerShell script downloads an image file ...
1 week ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)