You're Invited: Delivering malware via Google Calendar invites and PUAs
A creative and socially engineered delivery vector has been identified where threat actors are leveraging legitimate business utilities to bypass email filters and push malicious npm packages. The attackers use automated Google Calendar invites embedded with hidden Unicode "Private Use Access" (PUA) characters. These unprintable characters are used to brilliantly obfuscate malicious text and commands, tricking corporate users and automated detection systems alike. The calendar invites direct target users toward engineering packages that contain hidden malware, effectively blending malicious intent into standard daily corporate scheduling workflows and exploiting the inherent trust users place in automated calendar notifications.Organizations must implement strict mail server and collaboration tool policies to restrict calendar invites originating from untrusted, external domains. Security awareness training should be updated to warn employees against interacting with unexpected calendar entries containing external attachments or links. Furthermore, security operations teams should deploy advanced string-analysis filters capable of detecting and stripping hidden Unicode PUA characters from inbound collaboration streams.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.
Related Articles





