John
Hidden inside ordinary image files, malware slips past security tools by wearing invisibility cloaks made of code tricks. Instead of shouting its presence, it whispers through pixels in PNGs, unseen. A rogue package on NPM becomes the delivery truck, rolling out backdoors without sirens.
Behind each fake picture lies a sleeping virus, waiting for the right signal. Steganography turns innocent visuals into secret containers.
The result? A quiet invasion where nothing looks wrong – until it is. Attackers hit devs using a fake npm tool called buildrunner-dev. A team at Veracode spelled out how it works. The package pretends to be real software that people trust. Mistyped names lead users right into its trap.
Package Discovery
Lately, security analysts noticed something odd about the buildrunner-dev NPM package. At first glance, it seems normal – just a standard package.json triggering init.js when installed.
Instead of hiding harmful code inside, the script pulls down a file called packageloader.bat from a Codeberg repo. That keeps the original package looking clean.
Once downloaded, the batch file is placed in the Windows Startup directory with a randomly generated name. Next time the user logs in, it activates automatically – quietly staying behind the scenes.
Skipping runs happens in continuous integration environments, on non-Windows machines, or when a debugger is attached.
Names such as telemetryEndpoint and traceToken mimic real tracking tools, masquerading as standard measurement scripts. Snyk detected it as harmful, and the tool was removed from the NPM registry. Content vanished after security alerts raised red flags.
Batch File Obfuscation
A single batch file named packageloader.bat runs long – over sixteen hundred lines – but just two dozen actually do anything. Scattered throughout are hundreds of remarks filled with odd phrases such as “raven monsoon galaxy.”
Instead of useful work, it spends most of its time declaring variables with SET, over a thousand times each, shaping tiny parts of a PowerShell script later assembled. Hidden among these are fake base64 entries that unravel into blank echo statements when decoded.
Much of what looks complex turns out to be filler meant to distract. Length comes more from repetition than function, while gaps between commands stretch things further.
Ghost variables appear without definition, then disappear – part of obfuscation’s structure. Fragments number nine hundred nine; never a completePowerShelll term in sight.
Names twist into nonsense: mUuCpEbawrsmMHS, random yet deliberate. Base64 decoys sit quietly until they spark false alarms unexpectedly.
Baselists fail by design, misleading anyone who digs too deep. Together, these choices slow down scanners that rely solely on patterns. Static analysis hits walls where confusion multiplies naturally.
Execution Flow
A copy lands in %AppData%\protect.bat – keeps things running later. Running “net session” shows whether it has full control; when access is low, a switch flips using fodhelper.exe.
The trick relies on modifying the ms-settings link in Windows settings via the registry. That meth, od listed as MITRE T1548.0,02 lifts limits quite;y, no pop-ups ever appear. After that climb up, old traces vanish from registry paths.
Up high, pieces join to form a PowerShell line running through hidden conhost.exe: powershell.exe -ep bypass -w h. From there, it accesses WMI to pull data on antivirus tools under root\SecurityCenter2\AntiVirusProduct.
| AV Detected | Action Taken |
|---|---|
| ESET Security | Skip payload |
| Malwarebytes or F-Secure | Download AMSI bypass PNG, execute via IEX |
| Other or None | Download the main PNG, load the .NET assembly |
This approach of handling each AV separately suggests focused checks.
Steganography Technique
From i.ibb.co, PowerShell pulls PNG files that appear to be random noise but contain hidden information. Right at the start, the image tells how much data is stored – using red and green values of the first two pixels blended into one number. After that, every pixel provides three more pieces through its color channels, moving left to right and top to bottom.
| Image Filename | Dimensions | File Size | Extracted Payload |
|---|---|---|---|
| 6b8owksyv28w.png | 41×41 px | 2.3 KB | 4,903 bytes PowerShell AMSI patch |
| 0zt4quciwxs2.png | 141×141 px | 67 KB | 59KB GZip -> 136KB .NET loader |
Pictures sit still, yet carry hidden strings of ones and zeros.
AMSI Bypasses
A tiny PNG file hides scrambled PowerShell code. This script leans on Reflection. Emit, building quick function pointers at runtime. It targets GetProcAddress and VirtualProtect through generated callbacks. The start of AmsiScanBuffer inside amsi.dll gets rewritten – six bytes swapped to force an error return.
That glitch tricks security tools into ignoring threats. Malwarebytes and F-Secure face this bypass directly.y
Big PNG becomes MZ .NET 4.x EXE (CheaperMyanmarCaribbean.exe), scrambled using layered naming such as CyberspaceShiftedElectronica.
Instead of running normally, it halts conhost.exe, removes existing code, slips in its own payload, then restarts execution. Encryption relies on AES and TripleDES with SHA256-derived keys. Avoids detection by skipping standard SSL checks. API calls are resolved using a modified DJB2 hash method; no imported function table is used. Unusual structure keeps everything hidden until runtime.
Starts with scanning memory to block AmsiScanBuffer. Then use a debug register break and a vectored handler instead. Another way is to hide code using nops followed by return edits. Some tricks work on any antivirus, others only stick around inside Avast. Persistence varies depending on which security tool is running.
Suddenly, a string begins to unwind – Base64 first, then shaped by SHA256 into a key, finally unlocked through AES-256-ECB. The moment it opens, a C2-linked PNG appears: i.ibb.co/tpyTL2Zg/s9rugowxbq8i.png. Inside that image, files take form – not long after, JJYDJO.exe lands alongside protect.bat.
Final Payload and Links
From the third PNG, data gets pulled and unlocked – splitting a TripleDES key – leading to a 976KB version of Pulsar RAT, an open tool once known as Quasar. This move feels familiar, like Veracode’s Unicode strike back in June 2025, hiding code through ImgBB images, plus Pulsar again making rounds.
A pattern appears across various NPM breaches, such as the one involving Splunk’s Quasar image-decoding method. Snyk has raised concerns about data flow risks, highlighting potential impacts on confidentiality, integrity, and availability.
Indicators Table
Hidden data slips into PNG images by tweaking color values, letting malware such as Pulsar ride inside ordinary-looking files.
Most antivirus scanners fail here – tiny shifts blend right in, noise levels stay quiet. Early pixels quietly store how much data follows, then every pixel after smuggles three bytes without drawing attention.
When used against NPM systems, it links up with scrambled script files, sneaks past user controls, and picks escape routes based on installed security tools, boosting its chances of slipping through.
Starting, image analysis software looks for oddities such as strange pixel patterns or excessive randomness where images shouldn’t have them. Instead of relying on single methods, programs including OPSWAT and StegExpose apply number-based checks to spot least significant bit manipulation – a frequent trick used here.
What happens next often shows up through system behavior – look closely at signs like PowerShell asking too many WMI questions or conhost.exe being twisted into something else, visible using Sysmon alongside EDR systems.
Sometimes detection relies on YARA rules that tag split-up script chunks or links pointing to ImgBB hosts; yet when code loads later during runtime, earlier inspections miss the mark.
Stopping trouble starts with clean software supplies. Check every NPM package using tools such as Snyk or Veracode, and shut out fake names by sticking to approved lists. Require clear dependency records so you can trace everything back to its source, and build steps in isolated spaces during automated pipelines to limit the impact of harmful setup scripts.
Set network rules that block links like i.ibb.co and known attack servers, and keep development areas separate from live systems. Teach developers what to watch for: avoid installing anything from unknown sources, rely on locked version files, and scan stored code snapshots with automated checks that catch hidden data layers.
Starting, endpoint protection stops AMSI bypasses using AppLocker rules while turning off unnecessary executables, such as fodhelper.exe.
Detection tools powered by artificial intelligence – say, CrowdStrike or Microsoft Defender catch sneaky code injections along with named synchronization objects like Global\uYiFNbGnafJ.
Big companies rely on zero-trust setups that check every downloaded file, analyzing image files through machine learning systems built on hidden data patterns.
Hiding data inside pixels now follows earlier tricks using strange Unicode characters – a sign of how attackers adapt. Companies that overlook weaknesses in shared code might wake up to find themselves under remote access tools quietly. planted
Spotting odd patterns in images helps, just as setting alerts for suspicious actions across systems does. Relying solely on outdated antivirus software leaves the door wide open. Fixing breaches means more work later, changing passwords, chasing hidden backdoors, yet scanning dependencies fast can block the first move entirely.
FAQ
Hidden messages live inside picture parts, tucked into color layers where scanners rarely look. Files like PNGs appear harmless yet carry secrets between their red, green, blue dots. These sneaky tricks let harmful code slip past security unnoticed – camouflaged as ordinary snapshots people see every day.
Through npm install buildrunner-dev, which runs postinstall. What happens next? The process activates automatically after installation. Triggered by what? A script that executes right after setup finishes. Happens when? Once the package installs, without user interaction needed. Initiated through? Dependency chain pulling in malicious code silently.
Site: thecybrdef.com
Reference: Source
