The legitimate Google Calendar platform was abused to facilitate malicious command-and-control (C2) server connection in a stealthy
NPM malware campaign discovered by Veracode researchers.
The
malicious NPM package also used Unicode steganography to hide its malicious code in invisible characters, the Veracode Threat Research team said
in a report Thursday.
The package, called “os-info-checker-es6,” was first published on March 19, 2025, and originally only performed basic functions such as printing operating system details.
However, between March 22 and 23, new versions were published that were also functionally benign but considered suspicious due to the use of a hidden string encoded in invisible Unicode symbols.
By May 7, the hidden string was changed (in version 1.0.8) to include the malicious mechanism that retrieves and executes a payload from Base64-encoded URL stored in a Google Calendar event.
The package had about 566 weekly downloads as of Thursday and was also a dependency in four other packages — skip-tot, vue-dev-serverr, vue-dummy and vue-bit — which are believed to be part of the same campaign.
Reverse engineering the hidden Unicode
The hidden portion of the code specifically used variation selectors from the Variation Selectors Supplement Unicode block (U+E0100 to U+E01EF). Variation selectors are Unicode symbols that are completely invisible on their own but are used to modify the appearance of a preceding character. For example, some character in this block are used to display alternate versions of Japanese kanji that are used by administrative systems in Japan.
The code used the decode() function on a string that appeared to be a single vertical bar (|) but was actually a Base64-encoded string that was subsequently decoded with atob() and executed with eval(). Veracode discovered that the string was encoded in the final bytes of each selector (ex. the xx in U+E01xx) with an offset of 0x10 (subtracting 16).
In the malicious version 1.0.8, the hidden code is executed to retrieve an additional payload via the Google Calendar middleman.
Misuse of the Google Calendar platform to host C2 details
Veracode found that the next stage of the attack began with the retrieval of a Google Calendar event short link, https://calendar[ . ]app[ . ]google/t56nfUUcugH9ZUkx9. The malware then scrapes the content of the “data-base-title” attribute from the HTML page of the Google Calendar event.
“This means the attacker likely created a Google Calendar event and embedded a Base64-encoded URL as the value for this attribute within the event’s description or title,” Veracode explained.
The Base64-encoded URL fetched from Google Calendar is then decoded and the payload from this URL executed via eval(). Veracode noted it was unable to fetch and identify the final payload from the decoded URL, possibly due to an anti-analysis check by the C2 server or due to the campaign having concluded.
The use of Google Calendar as an intermediary between the initial execution and the malicious C2 connection leverages Google Calendar’s legitimacy to throw off security tools and mask the package’s malicious nature.
Veracode noted similarities between this tactic and the proof-of-concept red team tool
Google Calendar Rat, although there is no evidence the threat actor in the campaign directly used this tool. Google Calendar Rat directly utilizes the title and description fields of Google Calendar events for C2 communications, allowing an attacker to pass commands to the infected target by updating event descriptions.
Veracode reported the os-info-checker-es6 package to the NPM security team – as of Thursday afternoon the package was still available on the NPM repository.
