问答博客资讯标签用户活动
logo极客观点logo项目管理logoHarmonyOS
开发者社区
javascript
前端
python
node.js
react
vue.js
php
laravel
go
人工智能
mysql
linux
ios
java
android
css
typescript
spring
程序员
logoONES 研发管理logo思否企业问答

你被邀请:通过 Google 日历邀请和潜在不需要的应用程序(PUAs)交付恶意软件

  • Date and Discovery: On March 19th, 2025, a package os-info-checker-es6 was found and initially found not to do what it claimed.

    • Package Information on npm: The package lacked a README file and showed limited information. It seemed to fetch system information.
  • Smelly Code: The preinstall.js file of the package raised red flags with an eval() call and base64-encoded input. The input was from a decode() call on a native Node module, resulting in Unicode "Private Use Access" characters.
  • Reverse Engineering: The small Rust binary within the package didn't show expected OS information calls. The actual code found in run.txt was console.log('Check');, raising more questions.
  • Dependent Packages: Several published packages depended on os-info-checker-es6, including copies of other packages. None called the decode function.
  • Final Version: On May 7th, 2025, a new version of os-info-checker-es6 (1.0.8) was released with a longer obfuscated string and the eval call commented out. The decoded string contained malware code to fetch a Google Calendar link and a base64-encoded payload URL.
  • Indicators of Compromise: Compromised packages include os-info-checker-es6, skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit. IP 140.82.54[.]223 and URL https://calendar.app[.]google/t56nfUUcugH9ZUkx9 are also associated.
  • Acknowledgement: Vector35 provided a trial license for their Binary Ninja tool to aid in the investigation.
You're Invited: Delivering malware via Google Calendar invites and PUAs
https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas
阅读 11
0 条评论
得票最新