
According to Veracode, since the beginning of May, the malicious os-info-checker-es6 package has been downloaded more than 1,000 times. Interestingly, the first version of this package added to npm on March 19 was relatively safe: it only collected information about the host.

Since then, the authors modified the package by including platform-specific binaries and obfuscated installation scripts. As a result, its new version published on May 7, 2025 contains sophisticated code for communication with the C&C server from where the final payload is delivered.
The latest version of malicious os-info-checker-es6 (1.0.8) is still available on npm.
What’s worse, the malicious package is listed as a dependency for four other npm packages: skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit. All of them are marketed as useful development and accessibility tools. The researchers were unable to determine whether these utilities are related to the same malicious campaign.
The malicious version of os-info-checker-es6 embeds data in a string that appears to be a single vertical bar ‘|’. However, this character is followed by a long sequence of invisible Unicode characters from the Variation Selectors Supplement range (U+E0100 to U+E01EF).
Typically, such characters are used as modifiers for preceding characters to provide specific glyph variations in complex scripts. In this malware, their function is to facilitate steganography (i.e. conceal information among other data).
Veracode experts decrypted and deobfuscated the long string of invisible characters revealing a payload for a sophisticated C&C mechanism that uses a Google Calendar event short link as a dynamic dropper for its final payload.

After receiving the Google Calendar link, a series of redirects occur until an HTTP 200 OK response is received. Then, the data-base-title attribute containing a base64-encoded URL pointing to the final payload is extracted from the event HTML page.
The response body contains a base64-encoded payload executed at the second stage of the attack; apparently, the initialization vector and secret key are passed in the HTTP headers, which indicates that the final payload can be encrypted.
The fetched payload is then Base64-decoded and executed via eval(
.The script is saved to a temporary folder to prevent simultaneous execution of multiple instances.
Interestingly, Veracode experts were unable to extract and examine the final payload; they believe that the campaign could be temporarily inactive or still at early development stages.
The researchers have already notified npm of their findings; however, the above-listed malicious packages weren’t removed from the platform yet.

2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →