Cybersecurity researchers have identified a sophisticated supply chain attack involving compromised npm and Go packages designed to deploy a Python-based information stealer across Windows, Linux, and macOS systems.
Malicious npm Packages Exploit VS Code Tasks
The attack centers on two npm packages: html-to-gutenberg and fetch-page-assets. These packages were uploaded to the npm registry on May 25, 2026, and have since been removed. The malicious code is embedded within a hidden Visual Studio Code (VS Code) task named “eslint-check,” configured to execute automatically when the project folder is opened in VS Code. This setup allows the malware to initiate without user intervention, leveraging the trust developers place in their development environments.
Upon activation, the task executes a command disguised as a font file located at public/fonts/fa-solid-400.woff2. Despite its appearance, this file contains JavaScript code that retrieves encrypted payloads from blockchain transaction data. This method utilizes blockchain infrastructure as a resilient command-and-control mechanism, making it challenging to disrupt the attack.
Deployment of Python-Based Infostealer
The JavaScript payload establishes a connection to attacker-controlled servers, setting up a Socket.io backdoor. This backdoor grants remote control over the infected system, enabling operations such as shell execution, clipboard monitoring, file system manipulation, and arbitrary JavaScript execution. Subsequently, a Python loader is deployed to fetch and install a comprehensive information stealer.
The Python-based malware is designed to extract a wide range of sensitive data, including credentials stored in Chromium-based and Mozilla Firefox browsers, password managers, authentication applications, and cryptocurrency wallets. This extensive data harvesting poses significant risks to developers and organizations, potentially leading to unauthorized access and financial loss.
Broader Implications and Historical Context
This incident is part of a broader trend of supply chain attacks targeting developers through trusted platforms. Similar campaigns have been observed, such as the “Fake Font” campaign attributed to North Korean actors, which also utilized VS Code tasks and disguised malicious code as font files to deploy backdoors and steal sensitive information.
These attacks underscore the evolving tactics of threat actors who exploit the trust inherent in widely used development tools and package repositories. By compromising packages that developers rely on, attackers can infiltrate systems at the source, making detection and mitigation more challenging.
In light of these developments, it’s imperative for developers and organizations to exercise heightened vigilance. Regularly auditing dependencies, scrutinizing the behavior of development tools, and implementing robust security practices are essential steps to mitigate the risks associated with such sophisticated supply chain attacks.
