NPM Malware Hijacks Google Calendar to Evade Detection

A newly uncovered supply chain attack targeting the Node Package Manager (NPM) ecosystem is employing Google Calendar as a covert command and control (C2) channel, security researchers at Veracode said. The malware, embedded in JavaScript packages downloaded over 35,000 times, uses obfuscated payloads to evade detection and establish persistent access.

Once installed, the malware abuses stolen OAuth tokens to authenticate with Google’s API services and communicates by modifying calendar events. Attackers embed base64-encoded instructions within event descriptions and other fields, bypassing traditional security filters that trust Google domains.

The malware includes anti-analysis techniques such as sandbox evasion and environment checks, only activating under legitimate development settings. It can exfiltrate data by encoding stolen information in calendar entries.

Analysts advise organizations to monitor OAuth applications, scan Node.js dependencies, and flag unusual calendar API activity. The campaign highlights increasing abuse of trusted cloud services to mask malicious operations and evade security defenses.