In March 2025, security researchers at Aikido discovered a suspicious npm package named “os-info-checker-es6”. It appeared to check system information but contained hidden malicious code.
The key finding was a seemingly harmless vertical bar character (“|”) in the code. However, this character concealed dangerous content using invisible Unicode Private Use Area (PUA) characters.
Malicious Payload Hidden in a Single Character
Researchers explained, “That single character wasn’t a simple pipe symbol. It included invisible PUA characters, ideal for hiding malicious code.”
When decoded, this character revealed base64-encoded instructions. These instructions connected to Google Calendar for command and control (C2) operations.
Google Calendar Used for Malware Delivery
The malware fetched payloads through Google Calendar invite URLs. The invitations included base64-encoded strings that directed victims to attacker-controlled servers.
Charlie Eriksen commented, “This shows how attackers are evolving. By using Google Calendar, they bypass email security tools that would block typical phishing attachments.”
Independent research from Check Point confirmed similar attacks. Cybercriminals modified email headers to make malicious messages look like legitimate Google Calendar invites.
Victims interacting with these invites were redirected to phishing websites aimed at stealing credentials and financial data.
Wider Attack Surface Through NPM Packages
The attackers extended their campaign beyond a single package. Researchers found several npm packages using the same technique:
- skip-tot
- vue-dev-serverr
- vue-dummyy
- vue-bit
Each of these packages added the malicious “os-info-checker-es6” as a dependency, increasing the risk of compromise.
Google’s Response and Security Recommendations
Google acknowledged the threat and advised users to enable the “known senders” setting in Google Calendar. This helps block suspicious invites from unknown sources.
Security experts recommend the following measures:
- Be cautious with unexpected calendar invites, especially those far in the future.
- Always verify the sender’s identity before accepting invites or clicking links.
- Keep all software updated to fix known vulnerabilities.
- Report suspicious calendar invites as spam through Google Calendar’s built-in tools.
A Growing Threat to Users and Organizations
This attack shows how cybercriminals are finding new ways to deliver malware. By hiding code in a single character and using trusted platforms like Google Calendar, they are creating serious risks.
Both individuals and organizations must stay alert. Vigilance, combined with proper security settings and updates, is essential to defend against these evolving threats.
