Malware

Fake Font

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts.

Execution

1 technique

T1129Shared ModulesEvidence1

The starting point of the attack is a hidden Microsoft Visual Studio Code (VS Code) task named "eslint-check" that's configured with the "runOn: 'folderOpen'" option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor.

Stealth

1 technique

T1036MasqueradingEvidence1

The command also disguises the payload as a font file - public/fonts/fa-solid-400.woff2, even though the file just contains JavaScript code.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

The JavaScript stage repeats the same dead drop retrieval pattern to configure a command-and-control (C2) server that enables file uploads and Python malware delivery.

T1102.001Dead Drop ResolverEvidence1

The bogus font file uses blockchain infrastructure as a dead drop resolver, relying on TronGrid and Aptos as a fallback mechanism to fetch a next-stage JavaScript payload in a manner that's resilient to takedown efforts.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Jun 29, 2026

Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

A campaign-associated malware cluster/variant that abuses VS Code auto-run tasks and disguised font files to deliver multi-stage JavaScript and Python payloads, culminating in deployment of InvisibleFerret and a socket.io backdoor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.