Cybersecurity researchers have identified hijacked npm and Go packages that deploy a Python-based infostealer on compromised systems. This method utilizes a concealed VS Code task to execute malware upon opening a project folder, facilitating data theft and persistent access.
Cybersecurity researchers discovered two malicious npm packages, 'html-to-gutenberg' and 'fetch-page-assets', which were found to enable the deployment of a Python-based infostealer. These packages, uploaded to npm on May 25, 2026, have since been removed from the registry. The use of hijacked packages represents a significant risk to developers and organizations utilizing these tools.
The attack exploits a hidden task in Microsoft Visual Studio Code, named 'eslint-check'. This task is configured to run automatically when the project folder is opened, leading to the execution of arbitrary code. The malware retrieves JavaScript from blockchain data, connects to an attacker's infrastructure, and installs a socket.io backdoor.
The payload disguises itself as a font file while executing JavaScript code. This technique aims to circumvent security measures implemented in npm v12. Research from JFrog indicates that the attack's success depends on the workspace being marked as trusted by the developer.
This malware deployment is part of a larger campaign linked to North Korean cyber activities, referred to as the 'Fake Font' campaign. The campaign utilizes fraudulent job Interview processes to infiltrate software developer communities, delivering multi-stage load malware that targets sensitive information. Researchers have noted this is a continuation of the 'Contagious Interview' campaign.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Cybersecurity researchers have identified hijacked npm and Go packages that deploy a Python-based infostealer on compromised systems. This method utilizes a concealed VS Code task to execute malware upon opening a project folder, facilitating data theft and persistent access.