Steganography NPM Attack Hides Pulsar RAT in Innocent PNG Images

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Malicious NPM package buildrunner-dev embeds Pulsar RAT inside PNG images using steganography. Typosquatted buildrunner package evades scanners by encoding malware in pixel RGB values. Veracode uncovered seven-layer obfuscated batch file delivering UAC bypass and process hollowing.

Developers install via npm install triggering postinstall init.js script. Codeberg repository serves packageloader.bat with 1,653 obfuscated lines. Junk comments, fake base64, and dummy variables hide 21 functional instructions.

Batch file checks admin privileges then exploits fodhelper.exe UAC bypass silently. Conhost.exe launches hidden PowerShell evading behavioral detection. Anti-virus enumeration dictates customized infection paths.

ImgBB hosts two steganographic PNGs carrying encrypted payloads. 6b8owksyv28w.png (41×41px) contains 4,903-byte AMSI bypass PowerShell. 0zt4quciwxs2.png (141×141px) hides 136KB .NET loader in pixel noise.

Third PNG at i.ibb.co/tpyTL2Zg/s9rugowxbq8i.png serves live C2 channel. Pulsar RAT downloads via process hollowing into legitimate Windows binaries. Startup folder persistence ensures reboot execution.

Supply chain attacks weaponize developer trust in package managers. Abandoned legitimate packages create perfect typosquatting vectors. Steganography defeats signature and heuristic scanners completely.

package.json (Source – Veracode)

Attack Chain Table

StageActionTechnique
Lurenpm install buildrunner-devTyposquatting
Stage 1init.js downloads packageloader.batCodeberg repo
Escalationfodhelper.exe UAC bypassMITRE T1548.002
Stage 2Steganographic PNG extractionImgBB pixel decode
Persistence%AppData%\protect.batStartup folder
PayloadPulsar RAT process hollowingLegit binary injection

Key Indicators

TypeIndicator
NPM Packagebuildrunner-dev
Batch Filepackageloader.bat
Persistence%AppData%\protect.bat
ExecutableJJYDJO.exe
C2 Imagei.ibb.co/tpyTL2Zg/s9rugowxbq8i.png
AMSI PNG6b8owksyv28w.png
Loader PNG0zt4quciwxs2.png
Two PNG images hosted on ImgBB carried the concealed malware (Source – Veracode)

Development pipelines require package allowlisting immediately. Postinstall script execution demands sandbox isolation.

Defensive Actions

  • Audit NPM dependencies weekly
  • Disable automatic postinstall hooks
  • Block ImgBB domains in corporate firewalls
  • Monitor fodhelper.exe registry abuse
  • Deploy steganography detection tools
  • Scan for protect.bat in AppData
  • Train developers on typosquatting risks

Enterprise CI/CD pipelines face highest exposure. Compromised developer machines enable lateral movement. Rapid package removal lags behind sophisticated delivery.

FAQ

What technique hides malware in PNG images?

Steganography encodes payloads in RGB pixel values.

Which UAC bypass method deploys payload?

fodhelper.exe registry abuse without prompts.

Primary delivery vector used?

Typosquatted NPM package buildrunner-dev.

Final malware capability gained?

Pulsar RAT remote access and control.

Persistence location established?

Windows Startup folder via protect.bat.

Obfuscation layers in batch file?

Seven layers hiding 21 functional lines in 1,653 total.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages