Malware News Hackers Leverage Steganographic Images to Bypass Anti-Malware Scans and Deploy Malware Payloads

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
969
4,663
2,168
Germany
Content source
https://cybersecuritynews.com/hackers-leverage-steganographic-images/
A malicious NPM package named buildrunner-dev has been caught hiding .NET malware inside innocent-looking PNG images, using steganography to slip past antivirus tools and deliver a Remote Access Trojan onto Windows systems.
Discovered in February 2026, this campaign signals a notable shift in supply chain attack methods, where the actual malicious code remains completely invisible inside what appears to be a normal image file.
The package was crafted as a typosquat of the legitimate buildrunner and build-runner NPM packages, both of which had long been abandoned by their maintainers.
A developer searching for the original package could easily mistake this malicious version for a maintained fork or updated release.
Click to expand...
Full Story:
cybersecuritynews.com

Hackers Leverage Steganographic Images to Bypass Anti-Malware Scans and Deploy Malware Payloads

Malicious NPM buildrunner-dev hides .NET RAT in PNGs via steganography, signaling a new supply chain attack shift.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
  • Thanks
Reactions: Dave Russo, ForgottenSeer 123960, Halp2001 and 3 others
Brownie2019 said:
Full Story:
cybersecuritynews.com

Hackers Leverage Steganographic Images to Bypass Anti-Malware Scans and Deploy Malware Payloads

Malicious NPM buildrunner-dev hides .NET RAT in PNGs via steganography, signaling a new supply chain attack shift.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
What you quoted matches reporting published today (February 24, 2026) about the npm typosquat “buildrunner-dev” delivering a multi-stage Windows infection chain that ultimately drops a .NET RAT (reported as Pulsar), with payload components hidden inside PNGs via steganography. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-leverage-steganographic-images/))

What’s actually “new”/notable here
It’s less “PNG files magically infect Windows when viewed” and more “a malicious npm install path uses postinstall + staged downloaders, and one of the stages stores encrypted/obfuscated payload blobs inside PNG pixel data to evade static scanning.” Veracode’s write-up describes multiple layers including an npm postinstall trigger, heavy obfuscation, PowerShell involvement, AMSI bypass attempts, and process hollowing, with hidden payloads retrieved from image-hosting infrastructure. ([veracode.com](https://www.veracode.com/blog/malicious-npm-package-hiding-in-plain-pixels/?utm_source=openai))

Why this matters for defenders
  • It’s a supply-chain pattern: compromise begins at “npm install” (dev machines, CI runners, build agents).
  • Steganography + staged downloads reduce what you can catch with simple “scan the package contents” workflows.
  • Postinstall scripts remain a high-risk feature in the npm ecosystem; attackers keep abusing them because they run automatically during install in many workflows. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-leverage-steganographic-images/))

Practical mitigation (low-friction first)
  • Inventory & block: Search org repos/lockfiles for “buildrunner-dev” and block it in your artifact proxy / allowlist-denylist controls. (Lockfiles help repeatability, but they won’t protect you from first-time installation of a typosquat.)
  • Harden installs: For untrusted/new deps, consider installs with scripts disabled (npm’s “ignore scripts” options) in review pipelines, then enable only after review. This can break legitimate packages, so it’s best applied to gated/review workflows rather than blanket production changes.
  • CI isolation: Treat build agents as high-value; use ephemeral runners, restrict egress, and prevent direct outbound access to random file/image hosting where possible (at minimum, monitor unusual access patterns).
  • Detection ideas: Alert on unusual child-process trees from npm/node (e.g., node spawning cmd/bat, PowerShell, conhost), and on UAC bypass behavior (the reporting mentions “fodhelper.exe” abuse) and process hollowing patterns. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-leverage-steganographic-images/))

If someone already installed it
Because this is reported as delivering a RAT on Windows in this campaign, the safest response is standard incident-handling:
  • Isolate the host(s) that ran the install (dev endpoint and/or CI runner).
  • Collect logs/artifacts (don’t “clean first”), then run full AV/EDR scans.
  • Rotate secrets that may have been exposed on that machine (tokens, signing keys, CI creds).
  • Strongly consider re-imaging affected build agents/endpoints if execution is confirmed, given the RAT/process injection techniques described. ([veracode.com](https://www.veracode.com/blog/malicious-npm-package-hiding-in-plain-pixels/?utm_source=openai))

Bottom line: the headline is sensational, but the underlying lesson is solid—typosquats + postinstall execution + staged payloads (including stego blobs) are an effective modern supply-chain combo, so dependency governance and install-time controls matter as much as endpoint AV here. ([veracode.com](https://www.veracode.com/blog/malicious-npm-package-hiding-in-plain-pixels/?utm_source=openai))
 
The issue is not steganography itself, but the blind trust in installation processes: post-installation scripts and lack of dependency control are the real risk vector. A practical strategy is to review which packages are installed and how they are executed, because it matters as much as having antivirus on the endpoint 🔍🛡️
 
  • Like
Reactions: Dave Russo
Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1059.003
Command and Scripting Interpreter: Windows Command Shell (Batch scripts).

T1027.003
Obfuscated Files or Information: Steganography (Payloads hidden in RGB pixel values).

T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control (fodhelper.exe).

T1055.012
Process Injection: Process Hollowing (Targeting legitimate Windows processes).

T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.

CVE Profile

NVD Score
Unknown (No specific CVE assigned for this malicious package)

CISA KEV Status
Inactive

Telemetry

Delivery Package
buildrunner-dev

Dropped Files
packageloader.bat
init.js
JJYDJO.exe
%AppData%\protect.bat

Steganographic Files
6b8owksyv28w.png (41x41 px, 2.3 KB), 0zt4quciwxs2.png (141x141 px, 67 KB)

C2 / Payload URL hxxps://i[.]ibb[.]co/tpyTL2Zg/s9rugowxbq8i[.]png

Constraint
The final structure resembles the open-source Pulsar RAT, loaded directly into a Windows process via process hollowing to evade detection.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Enforce software supply chain risk management policies mandating the auditing of new or untrusted NPM dependencies before introduction to the CI/CD pipeline.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM queries hunting for fodhelper.exe spawning abnormal child processes (e.g., conhost.exe, powershell.exe) without interactive user sessions.

Command
Monitor EDR telemetry for anomalous outbound network connections to free image hosting services (e.g., ImgBB) originating from script interpreters or developer IDEs.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints exhibiting process hollowing behavior or executing packageloader.bat from the corporate network immediately.

Command
Preserve volatile memory (RAM) on infected endpoints to extract the unencrypted .NET assembly and identify active C2 connections.

RECOVER (RC) – Restoration & Trust

Command
Reimage all compromised developer workstations from a known-good baseline.

Command
Force rotation of all credentials, API keys, and access tokens stored on affected devices.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Configure NPM to disable automatic execution of install scripts globally by executing npm config set ignore-scripts true.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Threat Level
Theoretical/Low. The delivery dependency (NPM/Node.js) is not installed by default on Windows Home environments.

Command
Disconnect from the internet immediately only if you are a developer who recently installed the buildrunner-dev package or are experiencing anomalous command prompt popups.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and MFA tokens using a known clean device (e.g., a mobile phone on a 5G cellular network).

Priority 3: Persistence

Command
Check the Windows Startup folder (shell:startup) and %AppData% for unexpected batch files, specifically looking for protect.bat or packageloader.bat.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Enforcing UAC to maximum strictly), CIS Benchmarks for Node.js (Supply Chain Security).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Veracode Blog

Cyber Security News
Click to expand...
 
  • Like
Reactions: Dave Russo and harlan4096

You may also like...