Hackers are employing a sophisticated stealth tactic, embedding malware within seemingly harmless PNG images to bypass security defenses. A recently discovered malicious NPM package, dubbed `buildrunner-dev`, has been found to conceal .NET malware inside these images, utilizing steganography to evade antivirus scans and ultimately deploy a Remote Access Trojan (RAT) onto Windows systems. This emerging threat, identified in February 2026, highlights a significant evolution in supply chain attack methodologies, where malicious code remains entirely hidden from detection.
The compromised package was strategically designed as a typosquat of the legitimate `buildrunner` and `build-runner` NPM packages. Both of these original packages had been abandoned by their maintainers, making the malicious version appear as a viable, updated alternative to developers searching for them. Upon installation via `npm install`, a hidden `postinstall` hook automatically initiated a script named `init.js`. This script then silently downloaded a batch file, `packageloader.bat`, from a Codeberg repository. The batch file was configured to copy itself into the Windows Startup folder, ensuring its execution with every system login.
Hiding in Plain Pixels: The Steganographic Attack Chain
Security researchers at Veracode meticulously unraveled the attack sequence, which involved navigating through seven layers of obfuscation within the `packageloader.bat` file. While the batch file extended to an extensive 1,653 lines, only about 21 lines contained functional instructions. The majority of the code consisted of deliberately inserted noise, including scattered comments, fake Base64 strings, and superfluous variables, all engineered to thwart static analysis tools and manual examination by security analysts.
Before activating its malicious payload, the malware performed checks for administrative privileges. It then silently escalated its privileges using the `fodhelper.exe` UAC bypass technique, a method documented in the MITRE ATT&CK framework (T1548.002). This maneuver allowed it to avoid triggering any visible User Account Control prompts, further enhancing its stealth capabilities. Following successful privilege escalation, the malware launched a concealed PowerShell session through `conhost.exe`.
The PowerShell session was tasked with querying the infected system for installed antivirus products. Based on the findings, the malware dynamically adjusted its subsequent infection path. The ultimate payload deployed in this campaign was identified as Pulsar, a well-known open-source Remote Access Trojan. This RAT was then injected into a legitimate Windows process through a technique known as process hollowing, effectively masking its presence within normal system operations.
The core of the steganographic technique involved two PNG images hosted on ImgBB. The image named “6b8owksyv28w.png,” a small 41×41 pixel file weighing 2.3 KB, contained a 4,903-byte AMSI bypass PowerShell script. A second image, “0zt4quciwxs2.png,” measuring 141×141 pixels and totaling 67 KB, held a compressed 136 KB .NET loader. The malware encoded these malicious components directly into the Red, Green, and Blue (RGB) pixel values of each image, rendering them to appear