Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts.
“This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain ‘compatible’ with npm v12’s security hardenings,” JFrog said in a technical analysis.
“The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer.
The names of the identified npm packages are listed below –
- html-to-gutenberg
- fetch-page-assets (which lists html-to-gutenberg as a dependency)
The two packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry. The starting point of the attack is a hidden Microsoft Visual Studio Code (VS Code) task named “eslint-check” that’s configured with the “runOn: ‘folderOpen'” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor.
“They do not recursively execute every nested .vscode/tasks.json; in this case, the trigger fires when the malicious package directory itself is opened as the workspace and marked as trusted, or that the developer explicitly allowed automatic tasks,” JFrog said. “The command also disguises the payload as a font file – public/fonts/fa-solid-400.woff2, even though the file just contains JavaScript code.”
It’s worth noting that the abuse of a VS Code auto-run task, coupled with the disguise of JavaScript malware as font files, has been attributed to North Korea. The OpenSourceMalware team, which is tracking the activity under the moniker Fake Font, has described it as a variant of Contagious Interview, a long-running campaign targeting software developers and technical personnel through fraudulent job interview processes.
“This ‘Fake Font’ campaign delivers a multi-stage loader that ultimately deploys the InvisibleFerret Python backdoor, designed to steal cryptocurrency wallets, browser credentials, and establish persistent access,” security researcher Paul McCarty noted back in January. “This is the third sub-campaign of the Contagious Interview’ campaign that has been ongoing since 2023.”
The bogus font file uses blockchain infrastructure as a dead drop resolver, relying on TronGrid and Aptos as a fallback mechanism to fetch a next-stage JavaScript payload in a manner that’s resilient to takedown efforts. The JavaScript stage repeats the same dead drop retrieval pattern to configure a command-and-control (C2) server that enables file uploads and Python malware delivery.
This includes setting up a Socket.io backdoor that grants the operator remote control over the infected host through features like shell execution, clipboard harvesting, file system operations, file upload, process management, and arbitrary JavaScript execution.
In parallel, the infection chain launches a Python loader component that’s responsible for retrieving the Python infostealer from the C2 server and installing the necessary dependencies. The artifact is a wide-ranging credential, browser, wallet, and developer artifact stealer that can siphon data stored in Chromium-based and Mozilla Firefox browsers, password managers, authenticators, and cryptocurrency wallets.
It’s also equipped to harvest developer-oriented information like Git credentials, GitHub CLI hosts.yml, GitHub Desktop logs, VS Code, and global storage, as well as data from Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and cloud storage metadata for Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Mega, and pCloud.
In the final stage, the collected data is packaged into compressed ZIP archives and uploaded to the C2 server, and to a Telegram bot if a bot token is provided by the attacker during runtime.
The campaign has also targeted the Go ecosystem, with Nextron Systems discovering a set of 16 Go packages containing the same malware. The list is as follows –
- github.com/lambda-platform/lambda
- github.com/reauheau/goaubio
- github.com/glacialspring/go-winsparkle
- github.com/bm-197/chill
- github.com/naol7/dist-task-scheduler
- github.com/anatoli-derese/a2sv-excercise
- github.com/amantsehay/a2sv-go-course
- github.com/dexbotsdev/uniswap-v2-v3-arbitrage
- github.com/lambda-platform/ebarimt-rest-api
- github.com/lambda-platform/dan
- github.com/zainirfan13/graphql-client
- github.com/hngi/team-fierce-backend-golang
- github.com/glacialspring/static
- github.com/rickt/slack-weather-bot
- github.com/Barsu5489/commerce
- github.com/Setsu548/Logistic
“Most appear to be legitimate packages whose latest released version included the malware alongside the original package contents, using the same structure and fake font file,” JFrog added.
Users who have installed the packages are advised to remove them with immediate effect, search developer machines for hidden VS Code folder-open tasks, and rotate credentials, tokens, cloud credentials, API keys, browser-stored credentials, and wallet credentials.
“The payloads show that the attacker was interested in both immediate theft and interactive access,” the cybersecurity company concluded. “The socket.io-based backdoor provides command execution and file collection, while the Python stage performs wide credential and wallet harvesting across browsers, OS credential stores, developer tooling, and cryptocurrency applications.”
