Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts.
“This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain ‘compatible’ with npm v12’s security hardenings,” JFrog said in a technical analysis.
“The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer.
The names of the identified npm packages are listed below –
- html-to-gutenberg
- fetch-page-assets (which lists html-to-gutenberg as a dependency)
The two packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry. The starting point of the attack is a hidden Microsoft Visual Studio Code (VS Code) task named “eslint-check” that’s configured with the “runOn: ‘folderOpen'” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor.
“They do not recursively execute every nested .vscode/tasks.json; in this case, the trigger fires when the malicious package directory itself is opened as the workspace and marked as trusted, or that the developer explicitly allowed automatic tasks,” JFrog said. “The command also disguises the payload as a font file – public/fonts/fa-solid-400.woff2, even though the file just contains JavaScript code.”
It’s worth noting that the abuse of a VS Code auto-run task, coupled with the disguise of JavaScript malware as font files, has been attributed to North Korea. The OpenSourceMalware team, which is tracking the activity under the moniker Fake Font, has described it as a variant of Contagious Interview, a long-running campaign targeting software developers and technical personnel through fraudulent job interview processes.
“This ‘Fake Font’ campaign delivers a multi-stage loader that ultimately deploys the InvisibleFerret Python backdoor, designed to steal cryptocurrency wallets, browser credentials, and establish persistent access,” security researcher Paul McCarty noted back in January. “This is the third sub-campaign of the Contagious Interview’ campaign that has been ongoing since 2023.”
The bogus font file uses blockchain infrastructure as a dead drop resolver, relying on TronGrid and Aptos as a fallback mechanism to fetch a next-stage JavaScript payload in a manner that’s resilient to takedown efforts. The JavaScript stage repeats the same dead drop retrieval pattern to configure a command-and-control (C2) server that enables file uploads and Python malware delivery.
This includes setting up a Socket.io backdoor that grants the operator remote…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
