JFrog Security Research identified two hijacked npm packages that use a novel execution technique to deploy a credential-stealing Python infostealer while evading the security controls introduced in npm v12. Following the initial JFrog disclosure, researchers at Nextron Research identified 16 additional Go packages carrying the same malicious payload. The attack, linked by researchers to North Korea’s “Contagious Interview” campaign, remains partially active: while the compromised npm versions have been removed from the registry, some Go packages continue to be available.
The two npm packages, html-to-gutenberg version 4.2.11 and fetch-page-assets version 1.2.9, were uploaded to the npm registry on May 25, 2026. Both packages preserve legitimate-looking project files but hide malicious execution logic inside a VS Code workspace task configured with runOn: "folderOpen", which triggers automatically when the project directory is opened as a trusted workspace in VS Code or compatible editors such as Cursor. This technique bypasses npm lifecycle scripts entirely, the execution path most commonly blocked by npm v12’s security hardenings. The payload delivery is further protected by using public blockchain infrastructure as a dead drop: the malicious package retrieves encrypted JavaScript from transaction data stored across TronGrid, Aptos, and BSC JSON-RPC, and decodes it using XOR before execution. From there, the malware establishes a socket.io backdoor and deploys a Python infostealer targeting Windows, Linux, and macOS systems. A key marker embedded in the package, a string read via a victim/version identifier, appears in HTTP headers sent to attacker-controlled infrastructure, allowing the attackers to track which compromised environments are reporting in.
The most important defender insight here is the framing of trust. VS Code’s task autorun only fires when a folder is opened as a trusted workspace. Developers who habitually mark local development directories as trusted, a common habit in active engineering environments, are the direct target population. Security teams should audit whether developer workstations have broad workspace trust configured by default, and whether VS Code’s “Manage Workspace Trust” settings have been reviewed for high-risk directories such as npm dependency trees. This attack is also a signal that supply chain security policies built around npm’s post-install hooks are now incomplete: as JFrog’s research demonstrates, attackers have shifted their execution trigger to the IDE layer rather than the package manager layer. As CyberTech previously reported, similar IDE and CI/CD trust exploitation has been a consistent pattern in supply chain attacks, including the Miasma worm’s abuse of GitHub Actions secrets.
Source: JFrog Security Research