Cybersecurity experts have identified a targeted attack involving compromised npm and Go packages that deliver a Python-based information stealer across Windows, Linux, and macOS platforms. This malicious campaign leverages Visual Studio Code (VS Code) tasks to infiltrate systems and execute harmful scripts.
Exploiting VS Code Tasks for Malware Deployment
The attack cleverly bypasses typical npm execution pathways by embedding its operations within a VS Code task, as reported by JFrog. When a project folder containing the malicious package is opened in VS Code, it automatically executes encrypted JavaScript sourced from blockchain transaction data. This initiates a connection to attacker-controlled infrastructure, deploying a socket.io backdoor and ultimately a Python infostealer.
The use of a hidden VS Code task named “eslint-check” triggers this execution. Configured to run upon opening the folder as a workspace, this task deceives developers by masquerading JavaScript code as a font file. Such tactics have been linked to North Korea, with the OpenSourceMalware team labeling this strategy as the “Fake Font” campaign.
Wide-ranging Data Theft and Persistent Access
This campaign is part of the broader “Contagious Interview” operation targeting software developers. The final payload, known as InvisibleFerret, is designed to steal sensitive data such as cryptocurrency wallets and browser credentials. It also establishes persistent access by setting up a Socket.io backdoor for remote control, including functionalities like file uploads and system command execution.
The Python loader, crucial to this operation, fetches the infostealer from the command-and-control (C2) server, targeting various credentials and data across browsers, operating system credential stores, and developer tools. This includes information from Git, GitHub, VS Code, and storage services like Dropbox and Google Drive.
Implications for the Go Ecosystem
Parallel to npm, the attack extends to the Go ecosystem, with 16 Go packages discovered to contain the same malware. These packages, appearing legitimate, have been compromised to include the malicious payload alongside their original content structure.
Security experts recommend immediate removal of these packages, thorough inspection of developer machines for hidden tasks, and rotation of sensitive credentials and tokens to mitigate the risk of data theft and unauthorized access.
This incident highlights the dual objectives of the attackers: immediate data theft and ongoing system access. The sophisticated use of a socket.io-based backdoor and the Python stage’s comprehensive credential harvesting demonstrate the attack’s complexity and potential impact.
Users and developers are urged to stay vigilant, ensuring their systems are free from such vulnerabilities and regularly updating security protocols to protect against evolving threats.
