Ddos 
Malware authors have begun exploiting Google Calendar invites and Unicode Private Use Area (PUA) characters to deliver obfuscated malicious payloads via NPM packages.
Charlie Eriksen, a Malware Researcher at Aikido, uncovered this campaign involving a suspicious NPM package named os-info-checker-es6. The attack, which appeared benign at first glance, used obscure techniques like base64 encoding, Unicode PUA characters, and even a Google Calendar link to fetch malware.
The os-info-checker-es6 package masqueraded as a simple system info tool but lacked documentation, a README, or legitimate behavior. What made it suspicious was its use of a Rust binary and embedded JavaScript code that decoded strings from Unicode PUA characters—a method rarely seen in malware delivery.
“These are unassigned codes in the Unicode standard… inherently unprintable, as they mean nothing inherently,” explained Eriksen.
The decoded payload initially looked innocuous, logging only console.log(‘Check’). However, the deeper layers revealed more sinister intentions.
Version 1.0.8 of the package included a hidden orchestrator script. Although obfuscated, this script decoded and executed additional JavaScript payloads delivered through a two-stage process:
- Stage One: Fetch a page hosted at https://calendar.app.google/t56nfUUcugH9ZUkx9 — a legitimate Google Calendar invite containing a base64-encoded string in the event title.
- Stage Two: Decode the string to access the real payload from an external server, such as: http://140.82.54[.]223/2VqhA0lcH6ttO5XZEcFnEA==
“Did you see the URL to Google Calendar in the orchestrator? That’s an interesting thing to see in malware. Very exciting,” Eriksen remarked.
Despite the technical depth, the malware didn’t appear to activate its full potential. Some dependencies added to NPM—like vue-dummyy, vue-dev-serverr, and vue-bit—included the malicious package but never invoked the decode function.
“Make no mistake—this was a novel approach to obfuscation… Instead, they seem to have done nothing with it, showing their hand,” Eriksen concluded.
Donate