"This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain 'compatible' with npm v12's security hardenings," JFrog said in a technical analysis.
The VS Code "folderOpen" task and the fake font payload
Researchers found the intrusion begins not with an installer or build script but with a hidden Visual Studio Code task. The malicious task is named "eslint-check" and is configured with the "runOn: 'folderOpen'" option so it executes automatically when the package directory is opened as a trusted workspace in VS Code (or another IDE that honors VS Code tasks). The command disguises the executable payload as a font file — public/fonts/fa-solid-400.woff2 — even though the file contains JavaScript.
Because the trigger fires when the malicious package directory itself is opened as the workspace and marked trusted, or when a developer explicitly allows automatic tasks, the attack sidesteps the "most common npm execution paths" and hides in a developer workflow rather than in package-install hooks, JFrog reported.
Hijacked npm and Go packages identified
JFrog's analysis identified two npm packages involved in the campaign:
- html-to-gutenberg
- fetch-page-assets (which lists html-to-gutenberg as a dependency)
Both packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry.
Nextron Systems found a related cluster of 16 Go packages in which the latest released versions included the same malware alongside original project contents. The Go packages named in the analysis are:
- github.com/lambda-platform/lambda
- github.com/reauheau/goaubio
- github.com/glacialspring/go-winsparkle
- github.com/bm-197/chill
- github.com/naol7/dist-task-scheduler
- github.com/anatoli-derese/a2sv-excercise
- github.com/amantsehay/a2sv-go-course
- github.com/dexbotsdev/uniswap-v2-v3-arbitrage
- github.com/lambda-platform/ebarimt-rest-api
- github.com/lambda-platform/dan
- github.com/zainirfan13/graphql-client
- github.com/hngi/team-fierce-backend-golang
- github.com/glacialspring/static
- github.com/rickt/slack-weather-bot
- github.com/Barsu5489/commerce
- github.com/Setsu548/Logistic
JFrog noted that most appear to be legitimate packages whose released versions were augmented with the malware using the same structure and fake font file.
The InvisibleFerret loader, blockchain dead drops, and socket.io backdoor
The campaign uses a multi-stage loader architecture. The bogus font file acts as a first-stage loader that retrieves encrypted JavaScript from blockchain transaction data — using TronGrid with Aptos as a fallback — creating a resilient "dead drop" resolver. The JavaScript stages repeat the dead-drop retrieval pattern to configure a command-and-control (C2) server.
Once the JavaScript establishes contact with attacker infrastructure, it launches a socket.io backdoor that provides remote control capabilities including shell execution, clipboard harvesting, file system operations, file upload, process management, and arbitrary JavaScript execution. In parallel, a Python loader component retrieves and installs a Python infostealer described in the reporting as the InvisibleFerret backdoor.
The Python stage is built for broad credential and artifact theft: it can exfiltrate browser-stored credentials from Chromium-based browsers and Mozilla Firefox, harvest developer-oriented artifacts (Git credentials, GitHub CLI hosts.yml, GitHub Desktop logs, VS Code global storage), and collect OS and cloud credentials from sources such as Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and metadata from Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Mega, and pCloud. Collected data are compressed into ZIP archives and uploaded to the C2 server — and, if a Telegram bot token is supplied by the attacker at runtime, to a Telegram bot as well.
Attribution context: "Fake Font" and Contagious Interview
The OpenSourceMalware team is tracking this activity under the moniker Fake Font and describes it as a variant of Contagious Interview, a campaign the team says has targeted developers and technical personnel through fraudulent job interview processes. Security researcher Paul McCarty, quoted in the reporting, said in January that "This 'Fake Font' campaign delivers a multi-stage loader that ultimately deploys the InvisibleFerret Python backdoor, designed to steal cryptocurrency wallets, browser credentials, and establish persistent access." The reporting also notes that the abuse of a VS Code auto-run task and disguising JavaScript as font files has been attributed to North Korea.
What this means for developers, open-source maintainers, and incident responders
Developers and security teams: Search developer machines for hidden .vscode tasks configured to run on folder open and be cautious when opening unknown or recently added workspace folders. Remove any copies of the listed npm and Go packages and treat workspaces that include unexpected .vscode configuration as suspicious.
Open-source maintainers: Audit recent releases and tags for unexpected files or added execution triggers. The Go examples showed legitimate projects whose released versions were augmented; maintainers should validate release contents and provenance before publishing.
Incident responders and administrators: Rotate credentials, tokens, cloud credentials, API keys, browser-stored passwords, and wallet credentials for any potentially affected environment. JFrog advised immediate removal of the impacted packages and searching for hidden VS Code folder-open tasks; the company concluded that "The payloads show that the attacker was interested in both immediate theft and interactive access."
Link to original report: https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html
