← All stories
● Covered by 1 source Β· 1 reportHigh impact

Hijacked npm and Go Packages Deploy Python Infostealer via VS Code Tasks

Aggregated by BrevFeed security Β· updated 1d ago
πŸ”– Save

Cybersecurity researchers have identified hijacked npm and Go packages that deploy a Python-based infostealer on compromised systems. This method utilizes a concealed VS Code task to execute malware upon opening a project folder, facilitating data theft and persistent access.

Key points

Discovery of Hijacked Packages

Cybersecurity researchers discovered two malicious npm packages, 'html-to-gutenberg' and 'fetch-page-assets', which were found to enable the deployment of a Python-based infostealer. These packages, uploaded to npm on May 25, 2026, have since been removed from the registry. The use of hijacked packages represents a significant risk to developers and organizations utilizing these tools.

Exploitation via VS Code

The attack exploits a hidden task in Microsoft Visual Studio Code, named 'eslint-check'. This task is configured to run automatically when the project folder is opened, leading to the execution of arbitrary code. The malware retrieves JavaScript from blockchain data, connects to an attacker's infrastructure, and installs a socket.io backdoor.

Malware Strategy

The payload disguises itself as a font file while executing JavaScript code. This technique aims to circumvent security measures implemented in npm v12. Research from JFrog indicates that the attack's success depends on the workspace being marked as trusted by the developer.

Connection to Ongoing Cyber Activities

This malware deployment is part of a larger campaign linked to North Korean cyber activities, referred to as the 'Fake Font' campaign. The campaign utilizes fraudulent job Interview processes to infiltrate software developer communities, delivering multi-stage load malware that targets sensitive information. Researchers have noted this is a continuation of the 'Contagious Interview' campaign.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

Cybersecurity researchers have identified hijacked npm and Go packages that deploy a Python-based infostealer on compromised systems. This method utilizes a concealed VS Code task to execute malware upon opening a project folder, facilitating data theft and persistent access.