Cybersecurity researchers have discovered a malicious package called “OS-Info-Checker-SES6”, which masks itself as a utilitis information about the operating system to stretch the useful load on the next stage for the impaired systems.
“This company uses reasonable Stegography based on Unicode to hide its original malicious code and uses a short Google Calendar Short link as a dynamic dropper for the final useful load,” the report that is shared with Hacker News said.
“OS-Info-Checker-ES6” was first published In the NPM register on March 19, 2025, a user called “Kim9123”. It was loaded 2.001 times as writing. The same user also has downloaded Another NPM packet called “Skip-Tot”, which lists “OS-Info-Checker-ES6” as dependence. Package Downloaded 94 times.
While the initial five versions did not show signs of data expressive or malicious behavior, the following iteration, loaded on May 7, 2025, included in the “Preinstall.js” file into the “Preinstall.js” file to break the unicode “private use of access” characters and gain the following stage load.
Somaroral code, on its part, is designed to contact a short reference Google Calendar Event (“Calendar.app (.) Google/
However, at this point, no additional useful loads are applied. This either indicates that the company is either still working or at the moment. Another opportunity is that it was already consisted or that the team and control server (C2) are intended to respond only to certain machines that meet certain criteria.
“Such use of legitimate, widely trusted service, such as Google Calendar as a mediator for the next C2 link, is a reasonable tactic for evading the detection and debris of the initial stages,” Verokod said.
Application Security and Aikido, which also minute In the future, the activity noted that three more packages listed “OS-Info-Checker-ES6” as a dependence, although it is suspected that dependent packages are part of one company–
- Dev-Terverr View
- View-view
- View-bit
“The OS-Info-Checker-ES6 package is a complex and a threat to the NPM ecosystem,” said Veracod. “The attacker demonstrated progress from obvious testing to multi -stage malware.”
The disclosure of information occurs when the software safety company has highlighted the outlet for printing, voices abuse, abuse, plunging, multi -stage execution, plaques and abuse of legal services and developers as six major competitive methods adopted by subjects in the first half of 2025.
“To resist this, the defenders must focus on behavioral signals such as unexpected Postinstall scripts, file topritees and unauthorized travel traffic, when checking the packets third – Note.
“The static and dynamic analysis, the consolidation of the versions and a thorough review of CI/CD magazines are important for the detection of malicious dependencies before they achieve production.”
