os-info-checker-es6

os-info-checker-es6 is a malicious NPM package disguised as an operating system information utility. It was initially published as a benign package on March 19, 2025, then later modified to include obfuscated install scripts and platform-specific binaries; a new version published on May 7, 2025 began delivering malicious payloads. Researchers reported that the package used invisible Unicode characters (U+E0100 to U+E01EF) in a preinstall.js file to conceal code, contacted a Google Calendar short link as a dead-drop resolver, extracted a final payload URL from a Google Calendar event’s data-base-title attribute encoded in base64, and executed retrieved code via JavaScript eval(). The malware also included a basic mechanism to prevent multiple instances from running simultaneously. It was described as delivering multi-stage payloads, but the final payload was not retrievable during analysis. The package was reported as version 1.0.8 and was downloaded about 655 times per week. It was also listed as a dependency in four other suspicious NPM packages: skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit. No specific threat actor attribution, victim industry, or concrete IOCs beyond the package name, related package names, and use of Google Calendar dead-drop infrastructure were provided in the content.