
According to Veracode, since the beginning of May, the malicious os-info-checker-es6 package has been downloaded more than 1,000 times. Interestingly, the first version of this package added to npm on March 19 was relatively safe: it only collected information about the host.

Since then, the authors modified the package by including platform-specific binaries and obfuscated installation scripts. As a result, its new version published on May 7, 2025 contains sophisticated code for communication with the C&C server from where the final payload is delivered.
The latest version of malicious os-info-checker-es6 (1.0.8) is still available on npm.
What’s worse, the malicious package is listed as a dependency for four other npm packages: skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit. All of them are marketed as useful development and accessibility tools. The researchers were unable to determine whether these utilities are related to the same malicious campaign.
The malicious version of os-info-checker-es6 embeds data in a string that appears to be a single vertical bar ‘|’. However, this character is followed by a long sequence of invisible Unicode characters from the Variation Selectors Supplement range (U+E0100 to U+E01EF).
Typically, such characters are used as modifiers for preceding characters to provide specific glyph variations in complex scripts. In this malware, their function is to facilitate steganography (i.e. conceal information among other data).
Veracode experts decrypted and deobfuscated the long string of invisible characters revealing a payload for a sophisticated C&C mechanism that uses a Google Calendar event short link as a dynamic dropper for its final payload.

After receiving the Google Calendar link, a series of redirects occur until an HTTP 200 OK response is received. Then, the data-base-title attribute containing a base64-encoded URL pointing to the final payload is extracted from the event HTML page.
The response body contains a base64-encoded payload executed at the second stage of the attack; apparently, the initialization vector and secret key are passed in the HTTP headers, which indicates that the final payload can be encrypted.
The fetched payload is then Base64-decoded and executed via eval(
.The script is saved to a temporary folder to prevent simultaneous execution of multiple instances.
Interestingly, Veracode experts were unable to extract and examine the final payload; they believe that the campaign could be temporarily inactive or still at early development stages.
The researchers have already notified npm of their findings; however, the above-listed malicious packages weren’t removed from the platform yet.

2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →