Based on reporting by The Hacker News →
Introduction
The software supply chain has a new attack vector that exploits a developer tool itself. A recent campaign hijacked legitimate npm and Go open-source packages to deploy a Python infostealer using the built-in task runner of Visual Studio Code—sidestepping traditional package manager protections.
The problem
Security researchers at JFrog have uncovered a coordinated supply-chain attack where two npm packages were hijacked and a cluster of Go packages were used to deploy a Python-based information stealer. According to a report from The Hacker News, the campaign targets Windows, Linux, and macOS hosts. Crucially, the attackers avoided the most common npm execution path—lifecycle scripts—likely as a deliberate attempt to stay compatible with npm version 12's new security hardening measures. Instead, the malicious code executes via Visual Studio Code tasks, an IDE feature rarely monitored by traditional security tools.
Consequences
Once a developer installs or updates the compromised package and opens the project in VS Code, the task runner automatically executes the malicious payload. The Python infostealer can exfiltrate credentials, environment variables, tokens, and other sensitive data from the developer's machine. Because the attack occurs within the IDE, it bypasses conventional endpoint detection that may not inspect VS Code's task execution, leaving development environments—and the production systems they access—exposed.