Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Hijacked npm and Go packages now deliver a Python infostealer through a hidden VS Code auto-run task, putting developer machines and credentials at risk across Windows, Linux, and macOS. The payload chain also establishes a socket.io backdoor and uses blockchain-based dead drops to fetch later stages. The activity broadens supply-chain exposure beyond a single package ecosystem and increases the chance of credential, wallet, and developer-data theft.

Related Happenings

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

Open Happening

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Open Happening

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Open Happening

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
H score40 First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

Timeline

  1. 29.06.2026 08:36 1 articles · 2h ago

    Malicious npm packages html-to-gutenberg and fetch-page-assets are uploaded

    Untyped Phase

    The malicious npm packages html-to-gutenberg and fetch-page-assets were uploaded to npm, with fetch-page-assets listing html-to-gutenberg as a dependency and setting up the package chain used to deliver the later payloads.

    Show sources
    Open in new tab
  2. 29.06.2026 08:36 2 articles · 2h ago

    Researchers uncover hijacked npm and Go packages that deploy a Python infostealer

    Initial Disclosure

    JFrog and Nextron Systems documented hijacked npm packages and a cluster of Go packages that hide execution in a VS Code task named "eslint-check", retrieve payloads from blockchain transaction data and TronGrid/Aptos, establish a Socket.io backdoor, and deploy a Python infostealer on Windows, Linux, and macOS.

    Show sources
    Open in new tab