Published: · Region: Global · Category: cyber

Hijacked Developer Tools Attack Exposes New Supply‑Chain Weakness in VS Code, npm and Go

A newly detailed campaign shows how hijacked npm and Go packages, combined with a Visual Studio Code booby‑trap, were used to plant a Python info‑stealer on developers’ machines — with malicious JavaScript hidden as a font file and updated via blockchain ‘dead drops.’ For software teams, the attack is a reminder that the build environment itself has become a target.

A sophisticated software‑supply‑chain attack has leveraged hijacked npm and Go packages together with a Visual Studio Code trick to infect developers’ machines with a Python‑based information stealer, exposing how deeply attackers are now burrowing into the tools that power modern coding.

Security researchers detailed the campaign in late June, warning that even a “trusted” VS Code workspace could quietly execute malicious tasks. Instead of relying on the more familiar npm lifecycle scripts that often draw scrutiny, the attackers abused hidden folder‑open tasks inside Visual Studio Code. When a developer opened a prepared project, the editor itself could be induced to run code without the explicit, suspicious‑looking install commands defenders usually monitor.

The poisoned ecosystem did not stop there. The attackers also compromised npm and Go packages, inserting malicious payloads upstream in widely used open‑source components. To evade detection, the JavaScript code at the heart of the operation was disguised as a font file, a format typically associated with design assets rather than executable logic. That file in turn reached out to so‑called blockchain “dead drops” — data embedded in decentralized ledgers — to retrieve fresh instructions, making it harder for defenders to block the campaign simply by taking down a server or sinkholing a domain.

Once fully staged, the attack chain deployed a Python‑written info‑stealer designed to siphon sensitive data from the developer’s environment. That could include authentication tokens, API keys, repository credentials or other footholds into corporate networks. For individual coders, the immediate risk is account compromise and reputational damage. For companies, a single infected laptop on an engineer’s desk can become the doorway to source‑code theft, backdoors in customer software or lateral movement into cloud infrastructure.

The human and operational stakes are substantial because the targets are not casual end‑users but the people and systems that build the digital world’s foundations. Development environments are often granted elevated permissions and trusted network access. Many organizations also assume their build pipelines and integrated development environments are secure by design, focusing defenses instead on production servers or customer‑facing applications. This campaign exploits that blind spot directly.

Strategically, the incident reinforces that software‑supply‑chain security is now a primary theater in cyber conflict and crime. By compromising widely used packages and popular editors, attackers can scale their reach across borders and industries with a single successful insertion. The use of blockchain as a resilient command‑and‑control mechanism points to adversaries who expect takedown attempts and are architecting around them from the outset.

This fits a broader pattern that has emerged from earlier high‑profile supply‑chain breaches: attackers increasingly aim at the tools and trust relationships inside development ecosystems rather than at the better‑guarded perimeter. Dependency managers, CI/CD pipelines, plugin systems and now workspace settings all offer potential paths to run malicious code under the guise of normal operations. The more complex and interdependent modern software stacks become, the wider the attack surface grows.

One hard but memorable lesson for organizations is that “trusted” in developer tooling must mean verified continuously, not assumed once. A signed package or a familiar editor icon is no longer enough; configuration, dependencies and background tasks need the same level of scrutiny typically reserved for externally exposed services.

Signals to watch from here include whether major platforms like GitHub, npm, Go’s module ecosystem and the maintainers of Visual Studio Code roll out new safeguards or warnings around workspace‑triggered tasks; whether incident‑response teams report real‑world compromises tied to this campaign; and if regulators or industry bodies move toward stricter standards for securing software build chains. If this attack proves successful at scale, it is likely to be imitated, turning the developer’s desktop into one of the most contested front lines in cybersecurity.

Sources

Related Coverage

GLOBAL

New libssh2 Flaw Puts Git, PHP and Appliances at Silent Remote‑Code Risk

Exploit code is now public for CVE‑2026‑55200, a critical libssh2 vulnerability that lets a malicious SSH server corrupt memory on connecting clients without credentials or user interaction. Because libssh2 is bundled into tools like curl, Git, PHP and network appliances, the real challenge is hunting down hidden copies before attackers turn routine SSH traffic into a foothold.
GLOBAL

Russia’s 90% Grip on Nuclear Energy Market Puts Sanctions Strategy Under Pressure

A prominent Gulf finance figure says Russia now controls more than 90% of the global nuclear energy market and is in talks with Islamic finance institutions to help fund its technology exports. Moscow’s dominance in reactors and fuel supply gives it quiet leverage over countries seeking low‑carbon power, complicating Western efforts to isolate Russia while keeping grids stable.
GLOBAL

China’s Export Curbs and Europe’s Gas Gap Expose a New Phase of Energy and Tech Squeeze on U.S. Allies

Beijing’s decision to hit Japanese drone, nuclear and defense sectors with new export curbs, combined with warnings that Europe may start winter with 15‑year low gas stocks, points to a tightening vise on U.S. allies’ energy and technology security. Together, the moves show how supply chains and storage tanks are becoming front‑line tools in global power politics.
WARNING

Burkina Faso Cuts Ties With France, Deepening Sahel Power Realignment and Security Risk

Burkina Faso’s junta announced on 27 June it is severing diplomatic relations with France, accusing Paris of neo‑colonial interference and acting against its national interests. The rupture accelerates France’s retreat from the Sahel security architecture and consolidates a bloc of anti‑French military regimes now leaning harder toward Russia and non‑Western partners, with knock‑on risks for jihadist containment, mining operations, and Western basing.
WARNING

Reports: Strike Ignites Fire at Kerch Power Link, Threatening Crimea Supply Resilience

Satellite fire detections near the Kuban cable crossing by Kerch around 06:15 UTC suggest possible damage to infrastructure feeding power into the Kerch Strait area and a nearby S‑300/S‑400 air defense site. Any confirmed degradation of Kerch‑area energy and air defenses would weaken Russia’s grip on Crimea’s lifelines and elevate operational risk for Black Sea logistics and shipping.
WARNING

Venezuela Twin Quakes Kill 1,450, Leave 50,000 Missing, Threaten State Capacity and Exports

Drone footage from La Guaira filmed shortly after 07:00 UTC shows whole blocks leveled, as Venezuelan authorities now cite at least 1,450 dead, around 3,500 injured and roughly 50,000 missing after powerful twin earthquakes. The scale of destruction risks overwhelming a fragile state, straining ports and power networks critical for oil exports and heightening the odds of political instability and mass displacement.