A new attack vector where cybercriminals are weaponizing Google Calendar invites to deliver malware, using a sophisticated obfuscation technique involving just a single visible character that hides malicious code.
This discovery highlights how threat actors are evolving their tactics to bypass traditional security measures by exploiting trusted platforms.
In March 2025, security researchers at Aikido discovered a suspicious npm package called “os-info-checker-es6” that appeared to check system information but contained suspicious code.
.png
)
What caught their attention was what appeared to be just a vertical bar character (“|”) in the code, but was actually hiding something much more sinister.
“What we discovered was fascinating – that single character wasn’t actually a simple pipe symbol, but contained invisible Unicode Private Use Area (PUA) characters,” explained researchers in their analysis.
These PUA characters are reserved in the Unicode standard for custom applications and are inherently unprintable, making them perfect for hiding malicious code.
When decoded, this seemingly innocent character transformed into base64-encoded instructions that ultimately connected to Google Calendar for command and control operations.
Google Calendar Invites Deliver Malicious Payload
The investigation revealed that the malware was designed to fetch malicious payloads through a Google Calendar invite URL. The calendar invitation contained base64-encoded strings that, when decoded, directed victims to an attacker-controlled server.
“This represents a concerning evolution in attack methodology,” said Charlie Eriksen to Cyber Security News. “By leveraging Google Calendar – a trusted platform used by millions – attackers can bypass traditional email security measures that would typically flag suspicious attachments.”
Check Point researchers independently identified similar attacks, noting that cybercriminals are modifying email headers to make malicious messages appear as though they were sent directly from Google Calendar.
Once a target interacts with these calendar invites, they can be directed to fraudulent websites designed to steal credentials or financial information.
The attackers didn’t stop at one package. Security researchers identified multiple npm packages affected by this technique:
- skip-tot
- vue-dev-serverr
- vue-dummyy
- vue-bit
All these packages added the malicious “os-info-checker-es6” as a dependency, creating a wider attack surface.
Protecting Yourself
Google has acknowledged the threat, recommending that users enable the “known senders” setting in Google Calendar to help defend against this type of phishing. Security experts also advise:
- Be suspicious of unexpected calendar invites, especially those scheduled far in the future.
- Verify the sender’s identity before accepting invites or clicking links.
- Keep software updated to patch security vulnerabilities.
- Report suspicious calendar invitations as spam through Google Calendar’s reporting feature.
This attack demonstrates how cybercriminals continue to find innovative ways to deliver malicious payloads, leveraging trusted platforms and sophisticated obfuscation techniques.
By hiding malicious code in what appears to be a single character and utilizing Google Calendar as a delivery mechanism, attackers have created a concerning new attack vector that could potentially compromise both individual users and organizations.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
