Attackers hijacked two npm packages and at least 16 Go modules. They slipped in a mechanism that waits for developers to open a project folder in Visual Studio Code. No postinstall script. No obvious red flags at install time. Just a hidden task that fires when the workspace loads.
The Trigger Hides in Plain Sight
The packages, html-to-gutenberg version 4.2.11 and its dependency fetch-page-assets version 1.2.9, reached npm on May 25, 2026. Both have since been removed. JFrog Security Research spotted them first. The malicious code sits disguised as a font file at public/fonts/fa-solid-400.woff2. But it contains JavaScript. Not a font.
When a developer opens the package directory itself as a trusted workspace in VS Code or Cursor, a .vscode/tasks.json file takes over. The task, labeled “eslint-check”, uses runOn: 'folderOpen'. It runs node on that fake font file. Execution begins. No extra clicks needed. “The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code,” JFrog researchers Guy Korolevski and Yair Benamou wrote.
Short. Elegant. And effective. The approach sidesteps npm lifecycle scripts entirely. That choice looks deliberate. It may dodge new restrictions in npm v12 that tightened automatic script execution. But the real innovation lies elsewhere.
The JavaScript payload pulls its next stage from blockchain transaction data. TronGrid serves as primary source. Aptos and Binance Smart Chain act as backups. The malware queries public RPC endpoints for specific transactions, extracts hex data, decodes it with a simple XOR operation, and evaluates the result. Blockchain dead drops make takedowns harder. The infrastructure lives on decentralized networks.
From there the code phones home. It establishes a socket.io backdoor. Operators gain shell access, file upload and download, clipboard monitoring, process listing, and even arbitrary JavaScript execution on the victim machine. The backdoor identifies the host with details like OS type, process ID, and a version marker. It reconnects aggressively if dropped.
Then comes the Python stage. A loader fetches and runs an infostealer. This component sweeps Chromium-based browsers for cookies, passwords, autofill data, and extension wallets. It hits Firefox too. It grabs data from password managers, SSH keys, Git configurations, GitHub CLI files, and VS Code storage. On Windows it queries Credential Manager. On Linux it checks Secret Service and KDE Wallet. On macOS it targets the Keychain.
Cryptocurrency wallets receive special attention. MetaMask, Phantom, Ledger, Trezor, Exodus, and others. The stealer also collects cloud storage tokens for Dropbox, Google Drive, OneDrive, and more. All data gets zipped, sometimes encrypted, and exfiltrated to the command server. Some builds forward archives to a Telegram bot.
“The payloads show that the attacker was interested in both immediate theft and interactive access,” JFrog concluded. “The socket.io-based backdoor provides command execution and file collection, while the Python stage performs wide credential and wallet harvesting across browsers, OS credential stores, developer tooling, and cryptocurrency applications.”
The campaign didn’t stop at JavaScript. Nextron Systems found 16 Go packages carrying the same fake font file and payload. Many appear to be legitimate projects whose latest versions were overwritten with the malware while preserving original code. The list includes modules such as github.com/lambda-platform/lambda, github.com/glacialspring/go-winsparkle, and several student or experimental repositories. The Hacker News reported the overlap on June 29, 2026.
But this isn’t an isolated incident. Supply chain compromises through developer tools have accelerated. In May 2026 a poisoned version of the Nx Console VS Code extension, boasting 2.2 million installs and verified publisher status, lived on the marketplace for roughly 18 minutes. It collected credentials silently. GitHub later confirmed that a similar malicious extension on an employee’s machine led to the exfiltration of approximately 3,800 internal repositories. TeamPCP claimed responsibility. Aikido detailed the breach on May 20, 2026.
Researchers tie elements of the current operation to the ongoing “Fake Font” campaign, itself a branch of North Korea-linked “Contagious Interview” activity that has targeted developers since 2023. The combination of VS Code autorun tasks and font-disguised JavaScript first drew attention in earlier DPRK operations. Security researcher Paul McCarty described the Python backdoor component, called InvisibleFerret, as part of that effort.
The overlap raises hard questions. Developers open dozens of project folders daily. Many mark workspaces as trusted without hesitation. VS Code’s productivity features, designed to streamline workflows, now serve as reliable execution triggers. And the use of blockchain for payload delivery adds resilience that traditional domains cannot match.
Organizations face a widening attack surface. npm, Go, PyPI, and the VS Code marketplace all feed into the same developer machines. A single compromised dependency or extension can reach millions. Recent waves have hit Axios, Checkmarx extensions, Bitwarden CLI, and Red Hat namespaces. Some spread as worms through CI/CD pipelines. Others rely on stolen maintainer credentials or poisoned popular packages.
Defenders recommend immediate removal of the affected packages. Teams should scan developer workstations for unexpected .vscode/tasks.json files containing folderOpen triggers. Rotate all credentials. Monitor for socket.io connections to known indicators such as 166.88.134.62 or 198.105.127.210. Look for Python artifacts in temporary directories or unusual Telegram bot activity.
The incident also highlights limitations in current package scanning. Many tools focus on lifecycle hooks and obvious malicious scripts. This attack lived outside those paths. It waited for an IDE action that millions perform every hour.
So the pattern continues. Attackers study legitimate developer behavior. They repurpose built-in features. They hide in plain sight. And each successful compromise feeds the next, more sophisticated variant.
Security teams that treat VS Code tasks and extension auto-updates as trusted by default may need to rethink that assumption. The convenience that made these tools indispensable now makes them dangerous vectors. The next breach could start with nothing more than opening a folder.
WebProNews is an iEntry Publication