Imagine downloading a seemingly harmless NPM package, only for it to secretly deploy a Remote Access Trojan (RAT) on your system. In February 2026, Veracode analysts uncovered a sophisticated supply chain attack where attackers leveraged steganographic images to bypass antivirus tools, delivering malware via innocent-looking PNG files.
For CISOs, SOC analysts, and IT managers, this incident underscores the evolving sophistication of threat actors and the critical need for proactive threat detection strategies. In this post, we’ll dissect this attack, explain how it works, highlight common misconceptions, and provide actionable steps to protect your systems.
What Are Steganographic Malware Attacks?
Steganography is the art of hiding information within other files or data formats—images, audio files, or documents—so the hidden payload remains invisible to human eyes and traditional scanners.
In the context of cybersecurity:
- Attackers encode malicious code into image pixels, often in PNG or JPEG formats.
- Malware remains dormant until decoded by a loader script.
- Traditional antivirus and endpoint detection solutions may fail to identify these threats due to the innocuous appearance of the file.
Key takeaway: Steganography allows malware to “hide in plain sight,” making supply chain attacks harder to detect and mitigate.
Case Study: buildrunner-dev NPM Package
Background
The malicious buildrunner-dev package was a typosquatting attempt on legitimate but abandoned NPM packages buildrunner and build-runner. Unsuspecting developers searching for the original package could easily mistake it for a maintained fork.
Attack Chain Overview
- Installation Trigger:
Runningnpm install buildrunner-devautomatically triggered a postinstall hook executinginit.js. - Downloader Execution:
init.jssilently downloadedpackageloader.batfrom a Codeberg repository and copied itself into%AppData%\Startup, ensuring persistence. - Obfuscation Layer:
The batch file contained 1,653 lines, but only ~21 lines were functional. The rest were junk variables, fake base64 strings, and noise designed to thwart static analysis and human review. - Privilege Escalation:
The malware checked for admin rights and used fodhelper.exe UAC bypass (MITRE ATT&CK T1548.002) to gain elevated privileges without triggering prompts. - Payload Delivery:
- Launched a hidden PowerShell session through
conhost.exe. - Queried installed antivirus products.
- Executed different infection paths depending on the result.
- Deployed Pulsar RAT via process hollowing inside legitimate Windows processes.
- Launched a hidden PowerShell session through
Hiding Malware in PNG Images
Two PNG images hosted on ImgBB concealed the malicious payloads:
| Image | Size | Payload |
|---|---|---|
| 6b8owksyv28w.png | 41×41 px, 2.3 KB | AMSI bypass PowerShell script (4,903 bytes) |
| 0zt4quciwxs2.png | 141×141 px, 67 KB | Compressed 136 KB .NET loader |
A third steganographic PNG acted as a live C2 channel, delivering the final encrypted Pulsar RAT payload on demand.
Technical insight:
The malware encoded these payloads into RGB pixel values, rendering them as visual noise. Traditional scanners often overlook such files because they appear innocuous.
Why This Attack Is Concerning
- Supply Chain Risks: Typosquatting attacks exploit developer trust in NPM packages.
- Anti-Malware Evasion: Traditional scanners struggle with steganography-based malware.
- Persistence and Privilege Escalation: Automatic execution via Startup folders and UAC bypass ensures malware survives reboots and runs stealthily.
- Flexible Payload Deployment: Attackers can modify payloads remotely via C2 channels.
Common Misconceptions
- “Images are harmless.” Steganography can embed executable code.
- “Antivirus will detect everything.” Obfuscation and pixel encoding evade signature-based detection.
- “Open-source software is always safe.” Typosquatting attacks exploit abandoned packages, making even familiar ecosystems risky.
Best Practices to Defend Against Steganographic Malware
Supply Chain Security
- Audit all NPM packages before installation.
- Avoid abandoned packages or typosquatted names.
- Use lockfiles (
package-lock.json) to prevent malicious updates.
Endpoint Protection
- Disable automatic execution of postinstall scripts.
- Monitor PowerShell activity, especially scripts executing AMSI bypass techniques.
- Watch for unexpected UAC bypass registry changes.
Network and Detection Strategies
- Monitor outbound connections to free image hosting platforms.
- Deploy behavioral analysis tools to detect anomalous process hollowing or hidden RAT execution.
- Integrate MITRE ATT&CK frameworks for mapping and threat detection.
Tools & Frameworks
- NIST CSF: For supply chain and endpoint risk management.
- MITRE ATT&CK: To understand TTPs (Tactics, Techniques, and Procedures).
- Veracode or Snyk: For automated static analysis of open-source dependencies.
Expert Insights
- Risk Impact: This type of malware can lead to credential theft, lateral movement, and data exfiltration.
- Compliance Relevance: Organizations in HIPAA, PCI DSS, or SOC 2 contexts must ensure third-party software doesn’t introduce hidden risks.
- Detection Difficulty: Pixel-level malware requires advanced heuristics or sandbox execution to identify.
FAQs
1. What is steganography in cybersecurity?
Steganography hides malware within files like images, audio, or documents, making it invisible to traditional detection methods.
2. How can NPM typosquatting be prevented?
Validate package names, avoid abandoned packages, and use tools like npm audit or Snyk to check dependencies.
3. What is Pulsar RAT?
Pulsar is an open-source Remote Access Trojan that allows attackers to execute commands, exfiltrate data, and control compromised systems remotely.
4. Which mitigation strategies work best against UAC bypass malware?
Monitor registry changes, enforce least privilege policies, and use behavioral monitoring to detect unauthorized elevation attempts.
5. How can supply chain malware be detected before deployment?
Static and dynamic code analysis, sandboxing, and monitoring of unusual postinstall script behaviors help catch malicious packages.
Conclusion
The buildrunner-dev incident highlights the evolving sophistication of supply chain attacks. Malware hidden in steganographic images, combined with obfuscation and UAC bypass techniques, demonstrates why modern cybersecurity requires multi-layered defense strategies.
Organizations should audit dependencies, monitor for anomalous behaviors, and integrate threat intelligence into their security posture. Staying proactive reduces the risk of remote access trojans and similar advanced threats compromising enterprise networks.
Next step: Assess your software supply chain for hidden threats and adopt behavior-based malware detection tools to stay ahead of sophisticated attackers.
