Security researchers at Veracode have unearthed a deeply obfuscated, multi-stage malware campaign hidden in two innocuous-looking packages on the popular npm repository. What began as an investigation into a curious use of Unicode obfuscation quickly escalated into the discovery of one of the most intricate npm-based attack chains ever documented.
The initial red flag came when the researchers examined the code inside the packages—only to be met with a wall of Unicode characters, mostly in Japanese Katakana and Hiragana. These characters weren’t decorative; they served as variable names in a script that kicked off the attack the moment a developer ran npm install.
This first script didn’t perform any malicious actions itself. Instead, it constructed and executed a second, slightly less obscure script. Each layer of the attack acted as a builder for the next, gradually unspooling the full payload.
The second script connected to a remote server, firewall[.]tel, to download the next stage—yet another obfuscated script, this time encoded in binary. Decoded, it led to a fourth script using Base64 encoding.
This fourth layer attempted to disable security defenses by adding its own files to the Windows Defender exclusion list. It then retrieved and executed a batch file—a tangled web of hundreds of variables holding fragmented code. When assembled in the correct order, these fragments formed a compressed, encrypted, and encoded .NET DLL that was loaded directly into memory to avoid detection.
Even that DLL wasn’t the final payload. It fetched a seemingly benign PNG image from the internet, which turned out to be a steganographic Trojan horse. Hidden within the image pixels was another encrypted payload. The DLL decoded this and built a second, final DLL entirely in memory.
At the end of this 12-layer digital labyrinth, Veracode uncovered the true purpose of the attack: deployment of Pulsar, a Remote Administration Tool (RAT). While Pulsar has legitimate uses, in this case it functioned as a malicious backdoor, giving attackers full control over compromised systems.
Veracode has since reported the malicious npm packages to the platform’s security team, helping to prevent further infections. The company emphasized the growing sophistication of open-source supply chain attacks and urged developers to remain vigilant.
