VS Code Fake Font malware: npm supply chain attack 2026

Opening a folder in VS Code executed North Korean malware. Attestd had the signal five days earlier.#
June 29, 2026
No malicious code in the repository. No suspicious install script. No prompt asking for permission. A developer clones a project, opens the folder in VS Code or Cursor, and North Korean malware executes automatically.
That is the attack described today by JFrog in their analysis of two hijacked npm packages and sixteen Go packages tied to a North Korean campaign tracked as Fake Font, a sub-campaign of the long-running Contagious Interview operation.
Attestd's pipeline flagged both npm packages on June 24, five days before this story broke.
What happened#
The two npm packages at the centre of this attack are html-to-gutenberg and fetch-page-assets. Both were uploaded to npm on May 25, 2026 and have since been removed from the registry. Both appear legitimate on the surface. Neither contains obviously malicious code in the sense a scanner would catch.
The attack mechanism is a hidden VS Code task named eslint-check, configured with the runOn: 'folderOpen' option. When a developer opens the package directory as a workspace in VS Code or Cursor and the workspace is trusted, the task fires automatically. The payload is disguised as a font file at public/fonts/fa-solid-400.woff2, which contains JavaScript rather than font data.
The JavaScript stage uses blockchain infrastructure as a dead drop resolver, pulling a next-stage payload from TronGrid with Aptos as a fallback. This makes the C2 infrastructure resilient to takedown, since blocking a domain does not block a blockchain transaction. The payload configures a Socket.io backdoor giving the attacker remote shell execution, clipboard harvesting, file system access, and arbitrary JavaScript execution.
In parallel, a Python loader retrieves the final infostealer from attacker-controlled infrastructure. The infostealer targets Chromium and Firefox browser credentials, password managers, authenticators, cryptocurrency wallets, Git credentials, GitHub CLI configuration, GitHub Desktop logs, VS Code global storage, Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and cloud storage metadata for Dropbox, Google Drive, OneDrive, iCloud, Box, Mega, and pCloud.
Collected data is compressed and exfiltrated to the C2 server and optionally to a Telegram bot.
JFrog notes that this attack deliberately avoids lifecycle scripts, which npm v12 has hardened against. The VS Code task mechanism is the evasion. It is not an install-time execution. It is an IDE-time execution, triggered by developer workflow rather than package installation.
What the API returns#
Both packages were compromised on June 24. Both return supply_chain.compromised: true.
curl "https://api.attestd.io/v1/check?product=html-to-gutenberg&version=4.2.11" \
-H "Authorization: Bearer $ATTESTD_API_KEY"
{
"product": "html-to-gutenberg",
"version": "4.2.11",
"supported": true,
"risk_state": "none",
"risk_factors": [],
"actively_exploited": false,
"remote_exploitable": false,
"authentication_required": false,
"patch_available": false,
"fixed_version": null,
"confidence": 0.95,
"cve_ids": [],
"cves": null,
"last_updated": "2026-06-29T15:55:58.275568Z",
"supply_chain": {
"compromised": true,
"sources": ["osv"],
"malware_type": "malware",
"description": "Malicious code in html-to-gutenberg (npm)",
"advisory_url": null,
"compromised_at": "2026-06-24T01:51:00Z",
"removed_at": null
},
"typosquat": null
}
curl "https://api.attestd.io/v1/check?product=fetch-page-assets&version=1.2.9" \
-H "Authorization: Bearer $ATTESTD_API_KEY"
{
"product": "fetch-page-assets",
"version": "1.2.9",
"supported": true,
"risk_state": "none",
"risk_factors": [],
"actively_exploited": false,
"remote_exploitable": false,
"authentication_required": false,
"patch_available": false,
"fixed_version": null,
"confidence": 0.95,
"cve_ids": [],
"cves": null,
"last_updated": "2026-06-29T15:55:58.275568Z",
"supply_chain": {
"compromised": true,
"sources": ["osv"],
"malware_type": "malware",
"description": "Malicious code in fetch-page-assets (npm)",
"advisory_url": null,
"compromised_at": "2026-06-24T01:44:29Z",
"removed_at": null
},
"typosquat": null
}
risk_state: none on both. No CVE IDs. A standard vulnerability scan passes both packages clean. The supply chain signal is the only programmatic way to detect this.
Attestd's pipeline committed both detections on June 24 at 11:33 UTC. JFrog published their analysis today, June 29. Five days.
A separate detection from the same week#
On June 28, four days after the Fake Font npm packages were flagged, the pipeline detected anthropic-internal-tools, a package impersonating Anthropic internal tooling.
curl "https://api.attestd.io/v1/check?product=anthropic-internal-tools&version=1.0.0" \
-H "Authorization: Bearer $ATTESTD_API_KEY"
{
"product": "anthropic-internal-tools",
"version": "1.0.0",
"supported": true,
"risk_state": "none",
"risk_factors": [],
"actively_exploited": false,
"remote_exploitable": false,
"authentication_required": false,
"patch_available": false,
"fixed_version": null,
"confidence": 0.95,
"cve_ids": [],
"cves": null,
"last_updated": "2026-06-29T15:55:58.275568Z",
"supply_chain": {
"compromised": true,
"sources": ["osv"],
"malware_type": "malware",
"description": "Malicious code in anthropic-internal-tools (npm)",
"advisory_url": null,
"compromised_at": "2026-06-28T05:59:11Z",
"removed_at": null
},
"typosquat": null
}
Whether this package is connected to the Fake Font campaign is not something Attestd can determine from the available data. What the ledger shows is that a malicious package impersonating Anthropic internal tooling was published and caught in the same week that North Korean actors were running an attack specifically targeting AI developer tooling and the editors those developers use.
The target profile is consistent. Developers building on Anthropic's APIs are among the most likely users of VS Code and Cursor. They are also among the most likely to have high-value credentials on their development machines.
The Go packages: an honest gap#
JFrog and Nextron Systems identified sixteen Go packages carrying the same malware. Attestd does not currently cover Go supply chain. Those packages return supported: false.
Go ecosystem supply chain coverage is on the Q3 roadmap. The Fake Font campaign targeting Go packages in the same wave as npm packages is a concrete illustration of why that work is prioritised. The same threat actors are operating across ecosystems simultaneously and detection coverage needs to follow.
If you are working with Go packages, the full list of identified malicious packages is in JFrog's analysis published today.
The North Korean developer tooling pattern in 2026#
Three significant North Korean supply chain operations have targeted developer tooling in 2026, all now in the Attestd detection ledger with timestamps.
In April, the Axios HTTP client was compromised via a hijacked maintainer account. A malicious transitive dependency executed at install time. Microsoft attributed the campaign to Sapphire Sleet.
In June, 145 packages across the entire Mastra AI agent framework scope were compromised by the same group using the same clean-then-armed transitive dependency technique, this time with easy-day-js impersonating dayjs. All 145 packages are covered by Attestd.
Now, in the same month, Fake Font targets VS Code and Cursor specifically, hiding execution inside IDE workflow rather than package installation, and targets Go packages alongside npm in the same campaign.
The pattern is a sustained, evolving campaign against the developer toolchain. Not incidental targeting. The tools developers use to write, run, and manage code are the attack surface. The credentials those tools store, including API keys, cloud credentials, git tokens, and cryptocurrency wallets, are the objective.
AI developer tooling is a named target in this campaign. The anthropic-internal-tools package from June 28 is one data point. The Mastra attack on an AI agent framework is another. The Axios compromise targeting a foundational HTTP client used in AI pipelines is a third. The thread is visible and it is not random.
What this means for autonomous systems#
An autonomous system that clones repositories, installs dependencies, or manages its own development environment has the same exposure as a human developer, without the instinct to notice that opening a folder just ran something unexpected.
The VS Code task mechanism in this campaign is particularly relevant for agentic coding tools. Claude Code, Cursor, and similar tools operate in exactly the environment this attack targets. A coding agent tasked with setting up a project could open a workspace folder and execute the attack chain before any human reviewer sees the output.
The supply chain signal is the detection layer that catches this. Not CVE scanning. Not static analysis of the package contents. A known-compromised version flag sourced from OSV, returned in a single API call before the dependency is used.
Coverage#
Both html-to-gutenberg and fetch-page-assets are covered and return supply_chain.compromised: true. anthropic-internal-tools is covered and returns supply_chain.compromised: true. The sixteen Go packages identified in this campaign are not yet covered. Go ecosystem supply chain coverage is Q3 2026.
All detections are recorded in the public detection ledger at github.com/attestd-io/detection-ledger with timestamps and commit hashes. The live dashboard is at attestd.io/docs/detection-ledger.
API documentation is at attestd.io/docs.