Malicious NPM Code Hides via Unicode, Google Calendar

A malicious package published to the Node Package Manager (NPM) repository has been found using Unicode-based steganography to conceal its true functionality, evading detection by traditional security tools. The package hides harmful code by embedding invisible Unicode characters within its script, a technique that obscures malicious instructions from both human reviewers and automated scanners.

In a further attempt to bypass scrutiny, the package uses Google Calendar links to host the command-and-control (C2) server URL. This unconventional method leverages a trusted platform to disguise the attacker’s infrastructure and maintain persistent communication with compromised systems.

The discovery underscores ongoing concerns about the security of open-source software repositories, particularly in environments where developers frequently integrate third-party packages. While NPM remains a critical resource for JavaScript developers, incidents like this highlight the need for enhanced vigilance and improved threat detection mechanisms to prevent the infiltration of malicious components into widely used software ecosystems.