threat-wire
Hijacked npm and Go Packages Hide a Stealer in Fake Fonts
Researchers found two npm packages and 16 Go modules that quietly install a credential and crypto-wallet stealer the moment a developer opens the project in VS Code. The malware hides inside a fake font file and pulls its next stage from blockchain transactions to survive takedowns. It is the latest twist on North Korea's Contagious Interview campaign against developers.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
Open the wrong project folder in VS Code and the attack starts on its own. No install command, no build step, just opening the directory. That is the trick behind a wave of poisoned packages that JFrog and Nextron Systems pulled apart this week.
JFrog found two hijacked npm packages, html-to-gutenberg 4.2.11 and fetch-page-assets 1.2.9, both uploaded on 25 May 2026 and since pulled from the registry. Nextron then found the same malware riding inside 16 Go modules. In most cases a real, working package had a single poisoned release pushed on top of it, so the legitimate code still ran and nothing looked off. The targets are developers on Windows, Linux, and macOS.
How the trap springs
The packages ship a hidden VS Code task named eslint-check, set with runOn folderOpen. When the package directory is opened as a trusted workspace in VS Code or Cursor, the task fires automatically. It runs a file dressed up as a font, public/fonts/fa-solid-400.woff2, that actually contains JavaScript. By avoiding the usual npm install scripts, the attack stays quiet and sidesteps the lifecycle-script hardening in newer npm.
From there the JavaScript uses a dead drop resolver to find its next stage, reading the address from blockchain transaction data on TronGrid with Aptos as a fallback. Pointing at a legitimate blockchain service keeps the lookup alive even when defenders take down domains. The next stage stands up a socket.io backdoor that gives the operator shell access, clipboard theft, and file operations, then pulls down a Python loader.
What it steals
The Python stage is the InvisibleFerret infostealer, and it casts a wide net. It scrapes saved logins from Chromium and Firefox browsers, password managers, and authenticators, then goes after cryptocurrency wallets. For developers it grabs Git credentials, the GitHub CLI hosts.yml, GitHub Desktop logs, and VS Code storage. It also reads the operating system credential stores: Windows Credential Manager, Linux Secret Service, KDE Wallet, and macOS Keychain, plus cloud metadata for Dropbox, Google Drive, OneDrive, iCloud, Box, Mega, and pCloud. Everything is zipped and sent to the command server, and to a Telegram bot if the attacker supplies a token.
Check your developer machines
- Search your repos and build caches for html-to-gutenberg@4.2.11 and fetch-page-assets@1.2.9, and review the 16 flagged Go modules.
- Look in any .vscode/tasks.json for a task that runs on folderOpen, especially one named eslint-check or any task that runs node against a .woff2 file.
- Open suspect font files such as fa-solid-400.woff2 or fa-brands-regular.woff2 in a text editor; real fonts are binary, so readable JavaScript is a red flag.
- In VS Code and Cursor, confirm Workspace Trust is on and that automatic task execution is not allowed for untrusted folders.
If any of that turns up on a machine, assume the stealer ran and grabbed everything in one pass. Rotate Git credentials, access tokens, cloud keys, API keys, browser-saved passwords, and wallet keys, and do it from a machine you know is clean.
Why developers keep getting hit
The font-file disguise and the folderOpen task have been tied to North Korea, and researchers track this strand as Fake Font, a branch of the long-running Contagious Interview campaign that lures developers through fake job interviews. A developer laptop is a high-value target because it holds the keys to source code, cloud accounts, and production systems. One opened folder can hand all of it over at once.