https://www.bleepingcomputer.com/news/security/malicious-npm-package-uses-unicode-steganography-to-evade-detection/

A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location.

The package, named os-info-checker-es6, appears as an information utility and has been downloaded more than 1,000 times since the beginning of the month.