You're Invited: Delivering malware via Google Calendar invites and PUAs

May 13, 2025

A creative and socially engineered delivery vector has been identified where threat actors are leveraging legitimate business utilities to bypass email filters and push malicious npm packages. The attackers use automated Google Calendar invites embedded with hidden Unicode "Private Use Access" (PUA) characters. These unprintable characters are used to brilliantly obfuscate malicious text and commands, tricking corporate users and automated detection systems alike. The calendar invites direct target users toward engineering packages that contain hidden malware, effectively blending malicious intent into standard daily corporate scheduling workflows and exploiting the inherent trust users place in automated calendar notifications.Organizations must implement strict mail server and collaboration tool policies to restrict calendar invites originating from untrusted, external domains. Security awareness training should be updated to warn employees against interacting with unexpected calendar entries containing external attachments or links. Furthermore, security operations teams should deploy advanced string-analysis filters capable of detecting and stripping hidden Unicode PUA characters from inbound collaboration streams.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?