Skip to content

Hijacked npm and Go Packages Deploy Python Infostealer via VS Code Tasks

Bottom line: Hijackers use VS Code Tasks instead of npm lifecycle scripts to deploy a Python infostealer and bypass npm v12 security hardening.

Two compromised npm packages and several Go packages transport a Python-based infostealer onto Windows, Linux, and macOS systems. The attackers bypass conventional npm lifecycle scripts and leverage VS Code Tasks as an execution mechanism.

Security researchers have identified two hijacked npm packages as well as a group of Go packages that deliberately install a Python-powered information stealer on compromised Windows, Linux, and macOS systems. The approach deviates from established attack patterns.

According to JFrog, the attackers intentionally avoid the common npm execution paths via lifecycle scripts. This approach could correspond to a targeted strategy to remain compatible with npm v12 security hardening measures and thereby evade detection mechanisms.

Instead, the attackers leverage Visual Studio Code Tasks as a launch platform. This method exploits the automatic execution of configuration files and enables loading malware payloads without activating classic package manager hooks. Upon successful installation, the infostealer captures sensitive data such as login credentials and other personal information.

CISOs should critically review supply chain risks in their dependency management processes. Particular attention should be paid to monitoring unusual configuration files in project directories and restricting execution privileges for developer tools such as VS Code in production or sensitive environments.


Source: thehackernews.com · Published 29 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: