Stealth npm and Go Packages Use VS Code Functions to Install Python Infostealer

Cybersecurity researchers discovered two hacked npm packages and a set of Go packages designed to serve Python-based information to Windows, Linux, and macOS hosts.
“This attack avoids the most common ways to implement npm through lifecycle documentation, probably in an effort to stay ‘up-to-date’ with npm v12 security,” JFrog said in a technical review.
“The package hides the execution inside a VS Code function, configured to run automatically when the project folder is opened in VS Code. From there, the malware finds the JavaScript encrypted in the blockchain transaction data, connects to the infrastructure controlled by the attacker, executes the socket.io backdoor, and finally releases the Python infostealer.
The names of the identified npm packages are listed below –
- html-to-gutenberg
- download-page-assets (which lists html-to-gutenberg as a dependency)
Both of these packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry. The starting point of the attack is a hidden Microsoft Visual Studio Code (VS Code) function called “eslint-check” configured with the “runOn: ‘folderOpen'” option to trigger the execution of malicious code when a folder is opened as a workspace folder in an IDE such as VS Code or Cursor.
“They no longer reuse the entire .vscode/tasks.json; in this case, the launcher fires when a malicious package directory is opened as a workspace and marked as trusted, or that the developer has explicitly enabled default tasks,” JFrog said. “The command also disguises the payload as a font file – public/fonts/fa-solid-400.woff2, although the file only contains JavaScript code.”
It is worth noting that the abuse of VS Code’s auto-run function, coupled with the disguise of JavaScript malware as font files, has been attributed to North Korea. The OpenSourceMalware team, which tracks the activity under the moniker Fake Font, described it as a variant of Contagious Interview, a long-running campaign targeting software developers and tech workers with fake interview procedures.

“This ‘Fake Font’ campaign delivers a multi-stage loader that ultimately releases the InvisibleFerret Python backdoor, designed to steal cryptocurrency wallets, browser credentials, and establish persistent access,” security researcher Paul McCarty noted back in January. “This is the third mini-campaign of the ‘Contagious Interview’ campaign which has been going on since 2023.”
The fake font file uses the blockchain infrastructure as a dead drop solver, relying on TronGrid and Aptos as a fallback to download the next-stage JavaScript load in a robust manner in the download attempts. The JavaScript section repeats the same dead drop retrieval pattern to configure a command and control (C2) server that allows file uploads and delivery of Python malware.
This includes setting up a Socket.io backdoor that gives the user remote control over the infected host with features such as running a shell, clipboard harvesting, file system operations, file uploads, process management, and arbitrary JavaScript execution.
In parallel, the infection chain activates the Python loader component responsible for retrieving the Python infostealer from the C2 server and installing the necessary dependencies. Artifact is a broad proof, browser, wallet, and developer artifact hacker that can extract data stored in Chromium and Mozilla Firefox-based browsers, password managers, authenticators, and cryptocurrency wallets.
It is also equipped to harvest developer-centric information such as Git credentials, GitHub CLI hosts.yml, GitHub Desktop logs, VS Code, and global storage, as well as data from Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and cloud storage metadata for Dropbox, Google Drive, iCloud, Google Drive, Microsoft One.
In the final stage, the collected data is packed into compressed ZIP archives and uploaded to the C2 server, together with the Telegram bot if the bot token is given to the attacker during the operation.
The campaign also targeted the Go ecosystem, where Nextron Systems found a set of 16 Go packages containing the same malware. The list is as follows –
- github.com/lambda-platform/lambda
- github.com/reauheau/goaubio
- github.com/glacialspring/go-winsparkle
- github.com/bm-197/chill
- github.com/naol7/dist-task-scheduler
- github.com/anatoli-derese/a2sv-excercise
- github.com/amantsehay/a2sv-go-course
- github.com/dexbotsdev/uniswap-v2-v3-arbitrage
- github.com/lambda-platform/ebarimt-rest-api
- github.com/lambda-platform/dan
- github.com/zainirfan13/graphql-client
- github.com/hngi/team-fierce-backend-golang
- github.com/glacialspring/static
- github.com/rickt/slack-weather-bot
- github.com/Barsu5489/commerce
- github.com/Setsu548/Logistic
“Most appear to be legitimate packages with a later version released that combines the malware with the contents of the original package, using the same structure as the fake file,” JFrog added.
Users who have installed the packages are advised to remove them immediately, search the developer tools for hidden functions open the VS Code folder, and rotate credentials, tokens, cloud credentials, API keys, browser cached credentials, and wallet credentials.
“The payload shows that the attacker was interested in both quick theft and interactive access,” the cybersecurity firm concluded. “The socket.io-based backdoor provides command execution and file collection, while the Python platform enables comprehensive data and wallet harvesting across browsers, OS authentication stores, developer tools, and cryptocurrency applications.”



