A malicious npm package called os-info-checker-es6 uses invisible Unicode characters to hide malicious code and leverages Google Calendar links for command-and-control. Despite being reported, the compromised packages remain on the platform, posing ongoing security risks.
Keypoints
- The package os-info-checker-es6 has been exploited to deliver malware through npm.
- Attackers use invisible Unicode characters to embed hidden malicious payloads within code strings.
- The malware employs a sophisticated command-and-control mechanism via Google Calendar links.
- The package is dependencies for several other npm packages, increasing the attack surface.
- Security researchers found the malicious code still present on npm despite reporting the issue.