Hackers Hide Pulsar RAT Inside PNG Images in New NPM Supply Chain Attack

Supply‑chain attacks on open‑source repositories have surged, and NPM remains a prime target due to its massive user base. Threat actors now leverage typosquatting—registering packages with names that closely resemble popular tools—to trick developers into installing malicious code inadvertently. This tactic lowers the barrier to entry, allowing attackers to embed payloads directly into the development workflow, where they can spread rapidly across projects and organizations that rely on automated dependency resolution.

The technical sophistication of the buildrunner‑dev attack lies in its use of steganography to hide the Pulsar RAT inside a seemingly harmless PNG file. The malware extracts hidden instructions by parsing RGB pixel values, a method that bypasses conventional file‑type scanning. Coupled with a 1,600‑line batch script filled with random words, the payload evades signature‑based detection. Additional evasion techniques—such as checking for specific antivirus products, copying to hidden directories, and leveraging Windows' fodhelper.exe for privilege escalation—demonstrate a layered approach to bypassing security controls.

Pulsar RAT provides attackers with full remote control, enabling data exfiltration, credential theft, and lateral movement within compromised networks. Its deployment via process hollowing further obscures its presence, making detection by behavioral analytics challenging. For enterprises, the incident underscores the necessity of implementing strict package‑origin verification, employing software‑bill‑of‑materials (SBOM) tracking, and integrating runtime monitoring that can flag anomalous file‑type usage. Proactive defenses, combined with developer education on typosquatting risks, are essential to safeguard the modern software supply chain.