Key Takeaways
- Two malicious npm packages (
html-to-gutenbergandfetch-page-assets) were uploaded on May 25 2026 and later removed; they trigger execution via a hidden VS Code task that runs when the project folder is opened. - The attack disguises JavaScript as a font file (
public/fonts/fa-solid-400.woff2) and uses blockchain dead‑drop resolvers (TronGrid, Aptos) to retrieve staged payloads. - A Socket.io‑based backdoor gives attackers remote shell, clipboard, file‑system, and process control, while a Python loader fetches an information‑stealer that harvests credentials, browser data, cryptocurrency wallets, and developer artefacts.
- The same malware chain was found in 16 Go packages, indicating a cross‑ecosystem supply‑chain campaign linked to the North Korea‑associated “Fake Font” (Contagious Interview) operation.
- Immediate remediation requires removing the packages, auditing VS Code tasks for auto‑run entries, and rotating all potentially exposed secrets (tokens, API keys, wallet credentials, etc.).
Overview of the Attack
Cybersecurity researchers from JFrog uncovered a sophisticated supply‑chain intrusion that leveraged both the npm and Go ecosystems to deliver a Python‑based information stealer. The campaign began with two malicious npm packages uploaded on May 25 2026, which have since been purged from the registry. By abusing a concealed Visual Studio Code task configured to execute automatically when a workspace folder is opened, the attackers bypassed typical npm lifecycle‑script protections introduced in npm v12. The infection chain proceeds through multiple stages, ultimately deploying a versatile stealer capable of exfiltrating credentials, cryptocurrency wallets, and developer‑specific data across Windows, Linux, and macOS hosts.
Malicious npm Packages and VS Code Task
The compromised packages are named html-to-gutenberg and fetch-page-assets, the latter listing the former as a dependency. Both contain a hidden VS Code task defined in .vscode/tasks.json called “eslint-check”. The task uses the "runOn": "folderOpen" option, causing it to launch automatically whenever the folder containing the package is opened as a trusted workspace in VS Code, Cursor, or any IDE that respects VS Code task settings. This technique ensures the malicious code runs without explicit user interaction, relying instead on the developer’s routine workflow.
Execution Flow and Disguise
When the task triggers, it executes a command that masquerades as a harmless font file: public/fonts/fa-solid-400.woff2. In reality, the file contains encrypted JavaScript code. The script first contacts blockchain‑based dead‑drop services (TronGrid, with Aptos as a fallback) to retrieve the next‑stage payload. By storing the intermediate code on public blockchain transaction data, the attackers create a resilient distribution mechanism that is difficult to takedown through traditional domain or IP blocking. The retrieved JavaScript then repeats the dead‑drop pattern to obtain a command‑and‑control (C2) server address.
Link to the Fake Font Campaign
The use of a VS Code auto‑run task combined with the camouflage of JavaScript as a font file has been previously attributed to a North Korea‑linked operation tracked by the OpenSourceMalware team under the moniker “Fake Font”. This campaign is a variant of the long‑running “Contagious Interview” scheme, which lures developers through fraudulent job‑interview processes. The Fake Font sub‑campaign delivers a multi‑stage loader that ultimately installs the InvisibleFerret Python backdoor, a tool designed to steal cryptocurrency wallets, browser credentials, and establish persistent access on infected machines.
Blockchain Dead‑Drop Mechanism
The malware’s reliance on blockchain infrastructure serves as a dead‑drop resolver: the initial JavaScript fetches an encrypted blob from a TronGrid transaction; if unavailable, it falls back to an Aptos transaction. This approach provides redundancy and obscurity, as the payload is embedded in immutable ledger entries rather than on conventional servers. Subsequent stages repeat the same pattern, allowing the attackers to update C2 addresses or payloads without altering the malicious packages themselves, thereby extending the campaign’s lifespan and evading detection.
Socket.io Backdoor Capabilities
Once the C2 server is contacted, a Socket.io‑based backdoor is established, granting the attacker interactive control over the host. Features include arbitrary shell execution, clipboard harvesting, file‑system read/write operations, file upload/download, process management, and the ability to run additional JavaScript code on demand. This backdoor enables the threat actor to explore the compromised system, deploy further tools, and exfiltrate data in real time, while maintaining a low‑profile communication channel that blends with legitimate web‑socket traffic.
Python Infostealer Functionality
Parallel to the Socket.io backdoor, a Python loader component is activated. It contacts the C2 server to download the final Python infostealer and installs any required dependencies. The stealer targets a broad range of sensitive information: credentials stored in Chromium‑based browsers and Mozilla Firefox, password managers, authenticator apps, and cryptocurrency wallet files (e.g., MetaMask, Electrum). It also harvests developer‑specific artefacts such as Git credentials, GitHub CLI hosts.yml, GitHub Desktop logs, VS Code settings and global storage, and OS‑level secret stores (Windows Credential Manager, Linux Secret Service/KDE Wallet, macOS Keychain). Cloud‑storage metadata from Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Mega, and pCloud is likewise collected. All harvested data is compressed into ZIP archives and uploaded to the C2 server; if a Telegram bot token is present at runtime, a copy is also sent to a attacker‑controlled Telegram bot for immediate notification.
Targeting the Go Ecosystem
In parallel with the npm compromise, researchers at Nextron Systems identified 16 Go modules that had been trojanized with the same malware chain. The affected packages include widely used repositories such as github.com/lambda-platform/lambda, github.com/reauheau/goaubio, github.com/glacialspring/go-winsparkle, and others spanning utilities, blockchain arbitrage tools, and backend services. Most of these modules appear to be legitimate projects whose latest released version was altered to incorporate the malicious payload alongside the original code, using the identical fake‑font file and VS Code task technique. This indicates a deliberate effort to poison multiple language ecosystems simultaneously, increasing the likelihood of infection across diverse development environments.
Mitigation and Recommendations
Organizations and individual developers who may have installed the compromised packages should take immediate action: remove html-to-gutenberg and fetch-page-assets from any local caches or projects, audit all .vscode/tasks.json files for auto‑run entries (especially those with "runOn": "folderOpen"), and delete any suspicious tasks. Additionally, rotate all potentially exposed secrets—including API keys, cloud service tokens, cryptocurrency wallet keys, browser‑saved passwords, and credentials stored in OS credential stores. Monitoring outbound connections for unusual Socket.io traffic or requests to known blockchain dead‑drop endpoints can help detect ongoing infections. Finally, maintaining up‑to‑date dependency‑scanning tools and enforcing strict provenance checks (e.g., using signed packages or internal mirrors) will reduce the risk of future supply‑chain compromises of this nature.