A highly sophisticated malicious npm package named buildrunner-dev has been discovered delivering a multi-stage Windows malware chain that ultimately deploys the Pulsar .NET Remote Access Trojan (RAT). The attack combines typosquatting, layered obfuscation, UAC bypass, steganography, AMSI evasion, and process hollowing to evade detection across multiple security products.
The package name mimics legitimate but largely abandoned “buildrunner” libraries, increasing the likelihood of accidental installation.
Its package.json contains a postinstall hook pointing to init.js. On execution, this script downloads a heavily obfuscated batch file from an external repository rather than embedding malicious code directly inside the npm package, reducing static detection risk.
Stage One: Obfuscated Batch Dropper
The downloaded batch file contains 1,653 lines, but only about 21 perform real actions. The rest consists of filler content such as random REM comments, fake base64 strings, junk variables, and fragmented payload components.
The obfuscation stack includes:
- Undefined “ghost” variables that resolve to empty strings
- Fragmentation of the PowerShell command across 900+ variables
- Decoy base64 commands to mislead scanners
- Large entropy inflation through junk strings
- Randomized variable naming to defeat pattern matching
After deobfuscation, the script performs four key actions:
- Copies itself to
%AppData%\protect.batfor persistence - Checks for administrator privileges
- Executes a silent UAC bypass using
fodhelper.exe - Launches a hidden PowerShell process through
conhost.exe --headless
The UAC bypass abuses the ms-settings protocol handler registry keys, allowing elevation without triggering a User Account Control prompt.
Stage Two: AV-Aware PowerShell Loader
Once elevated, the reconstructed PowerShell payload enumerates installed antivirus products via WMI. The execution path varies depending on the detected product:
- If Malwarebytes or F-Secure is present, it first deploys an AMSI bypass.
- If ESET is detected, execution may halt.
- Otherwise, it proceeds directly to the main payload stage.
This AV-specific branching indicates testing against targeted environments.
Stage Three: PNG Steganography
The loader downloads PNG images from a public image hosting platform. These images contain hidden payloads encoded directly into RGB pixel values.
The extraction algorithm works as follows:
- The first two pixels encode the payload size as a 32-bit integer.
- Each subsequent pixel stores three bytes of data in its R, G, and B channels.
- Pixels are read sequentially left to right, top to bottom.
Two primary variants were recovered:
| Image | Size | Extracted Payload |
|---|---|---|
| 41 × 41 PNG | 2.3 KB | 4,903 byte PowerShell AMSI patch |
| 141 × 141 PNG | 67 KB | 59 KB GZip compressed .NET assembly |
The smaller payload patches AmsiScanBuffer in memory to disable malware scanning. The larger image decompresses into a 136 KB .NET assembly.
Stage Four: .NET Loader with Advanced Evasion
The extracted .NET binary implements:
- 64-bit process hollowing using
GetThreadContextandSetThreadContext - AES and TripleDES encrypted payload chains
- Dynamic API resolution via manual PE export parsing
- Hardware breakpoint-based AMSI bypass using debug registers
- Vectored Exception Handler manipulation
- Mutex-based single instance enforcement
- Scheduled task persistence with AV-specific logic
Notably, the loader avoids suspicious Import Address Table entries by resolving APIs through hashed export table lookups rather than direct imports.
Final Payload: Pulsar RAT
The final stage downloads a third steganographic PNG image, extracts encrypted data, decrypts it using TripleDES, decompresses it with GZip, and reflectively loads the result into memory.
The recovered payload is Pulsar, an open source .NET Remote Access Trojan capable of:
- Remote command execution
- File manipulation
- Credential harvesting
- Keylogging
- Persistent C2 communication
The malware uses custom HTTP headers, SSL certificate validation bypass, and encrypted task retrieval mechanisms.
This campaign demonstrates a significant escalation in npm supply chain threats. By combining steganography, layered obfuscation, multiple AMSI bypass techniques, and process hollowing, the attackers built a deeply evasive infection chain. Static dependency scanning alone is insufficient against such techniques. Runtime monitoring, behavioral analysis, and strict dependency governance are now essential defenses against modern malicious npm packages.
No Comment! Be the first one.