Malicious NPM package uses Unicode steganography to evade detection

A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location. The package, named os-info-checker-es6, appears as an information utility and has been downloaded more than 1,000 times since the beginning of the month. Researchers at Veracode, a code security assessment company, found that the first version of the package was added to the Node Package Manager (NPM) index on March 19 and was benign, as it only collected operating system information from the host. The author added modifications a few days later to include platform-specific binaries and obfuscated install scripts. On May 7, a new version of the package was published, which featured code for "a sophisticated C2 (command-and-control) mechanism" that delivers the final payload. The latest version of 'os-info-checker-es6' available on npm at the time of writing is v1.0.8 and it is malicious, Verac ... Read full article.