A malicious NPM package named buildrunner-dev has been caught hiding .NET malware inside innocent-looking PNG images, using steganography to slip past antivirus tools and deliver a Remote Access Trojan onto Windows systems.
Discovered in February 2026, this campaign signals a notable shift in supply chain attack methods, where the actual malicious code remains completely invisible inside what appears to be a normal image file.
The package was crafted as a typosquat of the legitimate buildrunner and build-runner NPM packages, both of which had long been abandoned by their maintainers.
A developer searching for the original package could easily mistake this malicious version for a maintained fork or updated release.
Once installed via npm install, the postinstall hook automatically triggered a file called init.js, which silently downloaded a batch file named packageloader.bat from a Codeberg repository.
The file then copied itself into the Windows Startup folder, guaranteeing it would run automatically on every subsequent login.
Veracode analysts identified the full attack chain only after stripping through seven layers of obfuscation inside the batch file, which stretched to 1,653 lines but carried just around 21 lines of actual working instructions.
The remainder consisted of fabricated noise: scattered word comments, fake base64 strings, and junk variables built solely to confuse static analysis tools and human reviewers.
Before triggering its payload, the malware checked for admin rights and silently elevated itself using the fodhelper.exe UAC bypass technique (MITRE ATT&CK T1548.002), avoiding any visible prompt.
.webp)
It then launched a concealed PowerShell session through conhost.exe, queried the system for installed antivirus products, and followed a different infection path depending on the result.
The final payload was Pulsar, a well-known open-source Remote Access Trojan, loaded into a legitimate Windows process through process hollowing.
Hiding in Plain Pixels
Two PNG images hosted on ImgBB carried the concealed malware — “6b8owksyv28w.png” (41×41 px, 2.3 KB) held a 4,903-byte AMSI bypass PowerShell script, while the “0zt4quciwxs2.png” (141×141 px, 67 KB) contained a compressed 136 KB .NET loader.
.webp)
The malware encoded these payloads directly into the RGB pixel values of each image, making them appear as random visual noise to any scanner.
A third steganographic PNG at hxxps://i.ibb[.]co/tpyTL2Zg/s9rugowxbq8i.png acted as the live C2 channel, delivering the final encrypted Pulsar RAT payload on demand.
| Type | Indicator |
|---|---|
| Malicious NPM Package | buildrunner-dev |
| C2 Steganographic Image URL | hxxps://i.ibb[.]co/tpyTL2Zg/s9rugowxbq8i.png |
| Dropped Batch File | packageloader.bat |
| Persistence File | %AppData%protect.bat |
| Dropped Executable | JJYDJO.exe |
Security teams should audit NPM packages before installation, disable automatic postinstall script execution, and watch closely for unusual PowerShell behavior.
Monitoring for UAC bypass registry changes and unexpected outbound connections to free image hosting services can help surface similar attacks before serious damage is done.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
