Hijacked npm and Go Packages Deploy Python Infostealer via VS Code Tasks
Attackers compromised npm and Go packages to distribute a Python-based information stealer, leveraging VS Code task automation to evade npm security controls. The campaign targets Windows, Linux, and macOS systems through supply chain manipulation.
TL;DR
- Two npm packages and multiple Go packages were hijacked to deploy a Python infostealer across multiple operating systems
- Attackers used VS Code task execution instead of npm lifecycle scripts to bypass npm v12 security hardening measures
- The attack demonstrates evolving supply chain tactics that circumvent conventional package manager protections
- Organizations should audit dependencies and monitor for suspicious task configurations in development environments
Cybersecurity researchers have identified a coordinated supply chain attack involving compromised npm and Go packages designed to distribute a Python-based information stealer. The malicious packages target Windows, Linux, and macOS systems, representing a significant threat to development teams relying on these popular package ecosystems.
The attack is notable for its evasion technique: rather than using standard npm lifecycle scripts that trigger during package installation, the threat actors leveraged VS Code task automation to deploy the infostealer. This approach appears designed to circumvent security hardening introduced in npm v12, which restricts execution of certain lifecycle hooks.
The discovery underscores the ongoing risk of supply chain compromise and the need for organizations to implement robust dependency verification and monitoring practices across their development pipelines.
Attack Mechanism and Evasion Tactics
- Attackers compromised npm packages and a cluster of Go packages to distribute malicious payloads
- VS Code task configuration files were used as the execution vector, bypassing traditional npm lifecycle script protections
- The Python infostealer is deployed on compromised hosts to exfiltrate sensitive information
- The technique suggests attackers are actively adapting to npm security improvements and testing alternative execution paths
Risk and Mitigation Recommendations
- Development teams should audit project dependencies and review VS Code workspace settings for suspicious task definitions
- Organizations should implement supply chain security controls including package integrity verification and dependency scanning
- Monitor for unusual execution patterns during package installation and development environment setup
- Consider restricting VS Code task execution in automated build pipelines and enforcing code review for workspace configurations
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.