Hijacked npm and Go Packages Deploy Python Infostealer

Cybersecurity researchers have identified two hijacked npm packages and a group of Go packages that are actively distributing a Python-based information stealer. These malicious packages target Windows, Linux, and macOS operating systems, aiming to compromise user data.

The attack strategy employed by these packages is notable for its evasion of standard npm execution methods. According to JFrog, a cybersecurity firm that published findings on this threat, the attackers bypassed common npm execution paths, specifically utilizing lifecycle scripts. This approach may have been chosen to circumvent security enhancements introduced in npm version 12, which aim to harden the package management system against malicious code execution.

Instead of relying on typical script execution during package installation, the compromised packages leverage VS Code tasks. These tasks are designed to execute arbitrary commands on the host system, facilitating the deployment of the Python infostealer. The use of VS Code tasks as an execution vector represents a novel technique for malware distribution within the software development ecosystem, potentially catching security tools and developers off guard.

The infostealer itself is designed to exfiltrate sensitive information from infected machines. While the specific details of the data targeted are still under investigation, information stealers typically aim to collect credentials, financial data, and other personally identifiable information. The cross-platform compatibility of the malware, affecting Windows, Linux, and macOS, broadens its potential impact across diverse development environments and user bases.