Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Qilin Dominates Ransomware Market – Infosecurity Magazine

July 3, 2026

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

July 3, 2026

FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors

July 3, 2026
Facebook X (Twitter) Instagram
Friday, July 3
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer
News

Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Team-CWDBy Team-CWDJuly 3, 2026No Comments5 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts.

“This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain ‘compatible’ with npm v12’s security hardenings,” JFrog said in a technical analysis.

“The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer.

The names of the identified npm packages are listed below –

  • html-to-gutenberg
  • fetch-page-assets (which lists html-to-gutenberg as a dependency)

The two packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry. The starting point of the attack is a hidden Microsoft Visual Studio Code (VS Code) task named “eslint-check” that’s configured with the “runOn: ‘folderOpen'” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor.

“They do not recursively execute every nested .vscode/tasks.json; in this case, the trigger fires when the malicious package directory itself is opened as the workspace and marked as trusted, or that the developer explicitly allowed automatic tasks,” JFrog said. “The command also disguises the payload as a font file – public/fonts/fa-solid-400.woff2, even though the file just contains JavaScript code.”

It’s worth noting that the abuse of a VS Code auto-run task, coupled with the disguise of JavaScript malware as font files, has been attributed to North Korea. The OpenSourceMalware team, which is tracking the activity under the moniker Fake Font, has described it as a variant of Contagious Interview, a long-running campaign targeting software developers and technical personnel through fraudulent job interview processes.

“This ‘Fake Font’ campaign delivers a multi-stage loader that ultimately deploys the InvisibleFerret Python backdoor, designed to steal cryptocurrency wallets, browser credentials, and establish persistent access,” security researcher Paul McCarty noted back in January. “This is the third sub-campaign of the Contagious Interview’ campaign that has been ongoing since 2023.”

The bogus font file uses blockchain infrastructure as a dead drop resolver, relying on TronGrid and Aptos as a fallback mechanism to fetch a next-stage JavaScript payload in a manner that’s resilient to takedown efforts. The JavaScript stage repeats the same dead drop retrieval pattern to configure a command-and-control (C2) server that enables file uploads and Python malware delivery.

This includes setting up a Socket.io backdoor that grants the operator remote control over the infected host through features like shell execution, clipboard harvesting, file system operations, file upload, process management, and arbitrary JavaScript execution.

In parallel, the infection chain launches a Python loader component that’s responsible for retrieving the Python infostealer from the C2 server and installing the necessary dependencies. The artifact is a wide-ranging credential, browser, wallet, and developer artifact stealer that can siphon data stored in Chromium-based and Mozilla Firefox browsers, password managers, authenticators, and cryptocurrency wallets.

It’s also equipped to harvest developer-oriented information like Git credentials, GitHub CLI hosts.yml, GitHub Desktop logs, VS Code, and global storage, as well as data from Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and cloud storage metadata for Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Mega, and pCloud.

In the final stage, the collected data is packaged into compressed ZIP archives and uploaded to the C2 server, and to a Telegram bot if a bot token is provided by the attacker during runtime.

The campaign has also targeted the Go ecosystem, with Nextron Systems discovering a set of 16 Go packages containing the same malware. The list is as follows –

  • github.com/lambda-platform/lambda
  • github.com/reauheau/goaubio
  • github.com/glacialspring/go-winsparkle
  • github.com/bm-197/chill
  • github.com/naol7/dist-task-scheduler
  • github.com/anatoli-derese/a2sv-excercise
  • github.com/amantsehay/a2sv-go-course
  • github.com/dexbotsdev/uniswap-v2-v3-arbitrage
  • github.com/lambda-platform/ebarimt-rest-api
  • github.com/lambda-platform/dan
  • github.com/zainirfan13/graphql-client
  • github.com/hngi/team-fierce-backend-golang
  • github.com/glacialspring/static
  • github.com/rickt/slack-weather-bot
  • github.com/Barsu5489/commerce
  • github.com/Setsu548/Logistic

“Most appear to be legitimate packages whose latest released version included the malware alongside the original package contents, using the same structure and fake font file,” JFrog added.

Users who have installed the packages are advised to remove them with immediate effect, search developer machines for hidden VS Code folder-open tasks, and rotate credentials, tokens, cloud credentials, API keys, browser-stored credentials, and wallet credentials.

“The payloads show that the attacker was interested in both immediate theft and interactive access,” the cybersecurity company concluded. “The socket.io-based backdoor provides command execution and file collection, while the Python stage performs wide credential and wallet harvesting across browsers, OS credential stores, developer tooling, and cryptocurrency applications.”

Update

When reached for comment, JFrog security researcher Guy Korolevski affirmed the similarities between the latest activity and Fake Font, adding it’s “probably an evolution of the previous campaign.”

While the earlier iteration targeted GitHub users, the new campaign focuses on malicious packages in both npm and Go, the latter of which are hosted on GitHub. “The delivery system changed and shifted to public blockchain infrastructure as a dead drop mechanism, and the lure is malicious packages in both npm and Go,” Korolevski noted.

(The story was updated after publication to include a response from JFrog.)



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleOver 300 UK Firms Hit by Ransomware in a Year
Next Article FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors
Team-CWD
  • Website

Related Posts

News

Qilin Dominates Ransomware Market – Infosecurity Magazine

July 3, 2026
News

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

July 3, 2026
News

FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors

July 3, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Is it time for internet services to adopt identity verification?

January 14, 2026

Look out for phony verification pages spreading malware

September 14, 2025

A stealthy RAT burrowing deep into Android devices

May 26, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.