You open a project folder in VS Code. You trust the workspace. A hidden task runs automatically. It downloads encrypted JavaScript from blockchain transaction data. It connects to attacker-controlled infrastructure. It deploys a Python infostealer.
That's the Fake Font npm supply chain attack. Two hijacked npm packages and a cluster of Go packages are delivering a Python-based information stealer on compromised Windows, Linux, and macOS hosts.
The packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry. But the attack chain is worth understanding because it avoids the most common npm execution paths.
The Packages
The two identified npm packages are:
1. html-to-gutenberg
2. fetch-page-assets (which lists html-to-gutenberg as a dependency)
Both packages have been removed from the npm registry. But if you installed them before removal, you may be compromised.
How the Attack Works
The Fake Font npm supply chain attack starts with a hidden Microsoft Visual Studio Code task named eslint-check. Task runs on the option ‘runOn: ‘folderOpen’’. This causes arbitrary code execution on the opening of the malicious package as a workspace folder in the IDE such as VS Code or Cursor.
The command uses the font file public/fonts/fa-solid-400.woff2 for hiding the payload. But the actual content of the file is JavaScript code and not a font file.
Trigger will be fired when:
1. Malicious package directory is opened as a workspace
2. Workspace becomes trusted
3. The developer explicitly allowed automatic tasks
The abuse of VS Code auto-run tasks, coupled with the disguise of JavaScript malware as font files, has been attributed to North Korea. The OpenSourceMalware team tracks the activity under the moniker Fake Font. It is a variant of Contagious Interview, a long-running campaign targeting software developers through fraudulent job interview processes.
The Blockchain Dead Drop Resolver
The bogus font file uses blockchain infrastructure as a dead drop resolver. It relies on:
1. TronGrid
2. Aptos (as a fallback mechanism)
The malware fetches a next-stage JavaScript payload from blockchain transaction data. This is resilient to takedown efforts because blockchain data is decentralized and immutable.
The JavaScript stage repeats the same dead drop retrieval pattern.
It configures a command-and-control server that enables:
1. File uploads
2. Python malware delivery
The Socket.io Backdoor
The malware sets up a Socket.io backdoor.
This grants the operator remote control over the infected host through:
1. Shell execution
2. Clipboard stealing
3. Performing file system operations
4. Uploading files
5. Process management
6. Arbitrary JavaScript execution
The Socket.io backdoor provides interactive remote access, not just passive data theft.
The Python Infostealer
In parallel, the infection chain launches a Python loader component. It retrieves the Python infostealer from the C2 server and installs the necessary dependencies.
There are several functionalities of the infostealer in Python.
The infostealer is able to steal information from:
1. Web Browsers for example, chromium-based web browsers like Google Chrome and Mozilla Firefox.
2. Password Manager/Authenticator
3. Crypto Wallets
4. Developer Tools:
a. Git Credentials
b. GitHub CLI Hosts.yml
c. GitHub Desktop Log
d. VS Code and Global Storage
Operating system credential stores:
a. Windows Credential Manager
b. Linux Secret Service
c. KDE Wallet
d. macOS Keychain
Metadata for cloud storages:
a. Dropbox
b. Google Drive
c. Microsoft OneDrive
d. Apple iCloud
e. Box
f. Mega
g. pCloud
The collected data is packaged into compressed ZIP archives and uploaded to the C2 server. It is also sent to a Telegram bot if a bot token is provided by the attacker during runtime.
The Go Packages
The Fake Font npm supply chain attack also targeted the Go ecosystem.
Nextron Systems discovered 16 Go packages containing the same malware:
github.com/lambda-platform/lambda
github.com/reauheau/goaubio
github.com/glacialspring/go-winsparkle
github.com/bm-197/chill
github.com/naol7/dist-task-scheduler
github.com/anatoli-derese/a2sv-excercise
github.com/amantsehay/a2sv-go-course
github.com/dexbotsdev/uniswap-v2-v3-arbitrage
github.com/lambda-platform/ebarimt-rest-api
github.com/lambda-platform/dan
github.com/zainirfan13/graphql-client
github.com/hngi/team-fierce-backend-golang
github.com/glacialspring/static
github.com/rickt/slack-weather-bot
github.com/Barsu5489/commerce
github.com/Setsu548/Logistic
Most of these appear to be legitimate packages whose latest released version included the malware alongside the original package contents. They use the same structure and fake font file.
What to Do
In case you have installed any of these packages on your system, then you must follow these actions:
1. Remove these packages right away.
2. Check for any VS Code open folder activities on the developer machines.
3. Update credentials, tokens, cloud credentials, API keys, browser credentials, and wallet credentials.
The Bigger Picture
The Fake Font npm supply chain attack shows that attackers are avoiding traditional npm lifecycle scripts. They are using IDE tasks instead. The attack also demonstrates how blockchain infrastructure is being used as a resilient dead drop resolver.
The payloads show that the attacker was interested in both immediate theft and interactive access. The Socket.io backdoor provides command execution and file collection. The Python stage performs wide credential and wallet harvesting across browsers, OS credential stores, developer tooling, and cryptocurrency applications.
The Bottom Line
The Fake Font npm supply chain attack is a sophisticated campaign targeting developers. VS Code tasks. Blockchain dead drop resolvers. Python infostealers. Socket.io backdoors.
Check your developer machines. Look for hidden VS Code tasks. Rotate your credentials. And be careful which packages you install.
FAQ Section
What is the Fake Font npm supply chain attack?
It is a campaign where hijacked npm packages use VS Code auto-run tasks to deploy a Python infostealer. The packages were uploaded on May 25, 2026.
Which npm packages have been compromised?
html-to-gutenberg and fetch-page-assets (a dependency of html-to-gutenberg). These packages have been yanked from npm.
How does the malware spread?
The malware leverages an invisible VS Code task that executes when the package directory is opened to download an encrypted JS code from blockchain data, create a backdoor using Socket.io, and deploy a Python infostealer.
What is being stolen by the infostealer?
Browser credentials, cryptocurrency wallets, developer credentials, OS credential store, and cloud storage metadata.
Did Go packages face the same threat?
Yes. Nextron Systems found out that there were 16 Go packages that contained the same malware. All of them were legitimate packages but their malicious variants.
What should I do if I had installed such packages?
You need to uninstall them and identify any hidden tasks on VS Code.
