Compromised npm and Go Packages Use VS Code Tasks and Blockchain Transactions to Deliver Python Infostealer

JFrog Security Research published an analysis on Monday (29) about two malicious versions of npm packages and a cluster of 16 Go packages that reverse the traditional attack playbook against the registry. Instead of exploiting npm lifecycle scripts, a target blocked by npm v12 hardenings, the attackers concealed execution within the tasks.json file of VS Code, configured with autoRun: 'folderOpen'. Simply opening the folder in the editor triggers the chain without invoking npm install or npm test.

The compromised npm packages are html-to-gutenberg version 4.2.11 and fetch-page-assets version 1.2.9, both published on May 25 and removed from the registry after disclosure. The Go trail was identified concurrently by Nextron Research and replicated across 16 packages that load the same loader. The payload downloads a seemingly benign source, which is actually a JavaScript blob with a modified extension tag, and executes in a decoupled node -e process.

Why Blockchain is Part of the Chain

The loader does not utilize a fixed C2 domain. It resolves transactions across three public blockchains, in the following order: TronGrid, Aptos, and BSC JSON-RPC. The relevant data is housed in the input field of the transaction, following a marker '?.?', and is XOR-decoded before execution. This mechanic is significant because it complicates the classic DNS sinkhole takedown and requires the detection team to monitor traffic outgoing to public blockchain infrastructure, a standard that corporate firewalls almost never treat as hostile.

The second stage establishes a socket.io backdoor and subsequently the Python infostealer. It has a wide reach: saved credentials in Chromium and Firefox browsers, password managers, TOTP authenticators, crypto wallets, Git histories, GitHub CLI's hosts.yml, GitHub Desktop logs, VS Code settings, Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and metadata from cloud providers. In environments where developers keep short API tokens in the project’s .env file, the leak is direct.

Who's Exposed, and at What Stage of the Chain

The uncomfortable angle for the CISO lies in those who need to run VS Code with active auto-trust. Coding agent platforms that allow users to open an arbitrary repository and initiate analysis fall into the most exposed category, as opening the workspace triggers the autoRun without a prompt. DevSecOps teams that standardized a shared .vscode/tasks.json across repositories inherited a vector that falls outside the scope of dependency scans running on pre-commit.

The actual surface has not yet been measured. JFrog indicates that the two npm versions had several thousand downloads before removal, but this number does not isolate how many reached developer stations and how many remained on ephemeral CI build agents. The telemetry from the infostealer, as it potentially appears in credential broker markets over the coming weeks, will serve as the thermometer to gauge the attackers’ investment value.

The Read-Across to Bangalore and São Paulo

This is where the attack shifts from a niche security research problem to a committee issue. PwC and Deloitte's Acceleration Centers in Bangalore host thousands of developers on client-facing projects that utilize shared tasks.json to standardize linting, builds, and deployments. A silent intrusion into a delivery machine offshore could lead to the GitHub credentials of Tier 1 financial clients in the English or American markets. HCLTech and TCS, which operate equivalent centers in Pune and Chennai, have exposure on the same magnitude scale.

In Brazil, the vector affects the engineering of fintechs and digital banks, which have standardized VS Code with shared tasks for environments at Nubank, C6, and BTG. Stefanini and CI&T, which deliver squads allocated to retail and industrial clients, share the same risk geometry. Recommending token revocation at scale has become an operational action rather than a theoretical exercise.

What to Request from the Team Today

The immediate fix is to configure 'security.workspace.trust.enabled' as true and disable autoRun in all corporate VS Code images, a policy that many teams relaxed when coding agents began requiring workspace trust to function. The IOC scan published by JFrog covers both npm packages and the 16 Go packages, and the dead-drop blockchain artifacts have been cataloged in the report. The reminder left for the CIO is more structural: software supply chains do not end with the SBOM. They continue within the editor that the developer opens, and this boundary has been poorly monitored until Monday.