On May 25, 2026, attackers uploaded compromised npm packages that exploited Visual Studio Code to deploy InvisibleFerret, a Python-based information stealer. The attack targeted developers on Windows, macOS, and Linux by hiding malicious JavaScript inside a fake font file, executing it automatically when victims opened their project folders.
This wasn't a typical supply chain vulnerability. The packages weren't backdoored dependencies — they were trojan horses designed to compromise the developer's local environment as soon as VS Code initialized the workspace.
Attack Timeline
May 25, 2026: Attackers publish malicious npm packages to the registry. The packages contain a .vscode/tasks.json file configured to execute on folder open.
Initial execution: When a developer installs the package and opens the project in VS Code, the editor reads the tasks configuration. A hidden task named eslint-check triggers automatically due to the runOn: folderOpen setting.
Payload delivery: The task executes a Node.js script that decodes malicious JavaScript disguised as public/fonts/fa-solid-400.woff2 — a file that appears to be a standard web font but contains executable code.
Malware deployment: The decoded script fetches the InvisibleFerret backdoor from blockchain-based infrastructure, tracked by the OpenSourceMalware research group as part of the "Fake Font" campaign. The backdoor targets developer credentials, SSH keys, browser sessions, and source code.
Discovery: JFrog's security research team identified the attack vector and published technical analysis of how the VS Code task mechanism was exploited.
Failed Controls
Workspace trust boundaries: VS Code's workspace trust model is meant to prevent untrusted code execution, but many developers disable these prompts or automatically trust all workspaces to avoid friction. The attack exploited this trust gap.
Package vetting: The malicious packages passed through npm's automated checks because they contained no obviously malicious code in JavaScript files. The payload was encoded and stored as a binary font file.
File type validation: Development environments don't typically scan font files or other static assets for executable content. The .woff2 extension provided cover for the JavaScript payload.
Network egress monitoring: The use of blockchain infrastructure for command-and-control communication bypassed traditional domain-based blocking. The malware communicated with smart contract addresses rather than registered domains.
Task runner auditing: VS Code tasks run with the developer's full system permissions. There's no sandboxing, no permission model, and no audit log of which tasks executed or what they accessed.
Compliance Standards
PCI DSS v4.0.1 Requirement 6.3.2 mandates that bespoke and custom software is developed securely, including the development environment itself. If your developers handle cardholder data, their workstations are in-scope systems. A compromised IDE can exfiltrate payment data directly from source code, configuration files, or database connection strings.
NIST 800-53 Rev 5 Control SA-10 (Developer Configuration Management) requires organizations to track and control changes to information systems during development. When your developers' local environments can execute arbitrary code from package managers without review, you've lost configuration management.
ISO/IEC 27001:2022 Control 8.31 (Separation of Development, Test and Production Environments) addresses environment isolation, but most organizations interpret this as network segmentation between deployment stages. The control should extend to the development workstation itself — a developer's local environment is a development environment that needs hardening.
SOC 2 Type II CC6.6 (Logical and Physical Access Controls) requires restricting access to system components. When package managers can modify your IDE's task configuration without explicit approval, you don't have meaningful access control over your development infrastructure.
None of these frameworks specifically address IDE task runners because the control frameworks haven't caught up to how developers actually work. You need to extend the intent of these requirements to cover modern development tooling.
Lessons and Action Items
Audit VS Code workspace settings across your organization. Run this search on developer workstations:
find ~ -name "tasks.json" -path "*/.vscode/*" -exec grep -l "runOn" {} \;
Any task with runOn: folderOpen should be reviewed. Legitimate uses exist (like starting a development server), but you need to know what's executing automatically.
Enforce workspace trust. Set security.workspace.trust.enabled: true in your organization's VS Code settings policy. Developers may resist, but the alternative is what happened here.
Scan non-code files in packages. Your dependency scanning tools probably check .js and .py files but ignore fonts, images, and other assets. Extend your scanning to detect encoded or obfuscated content in any file type. Tools like binwalk can identify executable content hidden in binary files.
Monitor blockchain communication. If you see workstations making HTTPS requests to known blockchain RPC endpoints (Ethereum, BSC, Polygon), investigate. Developers rarely need direct blockchain access. Build a baseline of legitimate blockchain traffic in your environment, then alert on deviations.
Implement egress filtering for development networks. Developer workstations shouldn't have unrestricted internet access. Route their traffic through a proxy that logs destinations and blocks known malware infrastructure. The blockchain dead drop technique works because most organizations don't monitor outbound connections from internal networks.
Review your package installation process. Do developers run npm install on packages without reviewing what gets downloaded? Require code review of package.json changes. Use npm ci in CI/CD (which installs from a lockfile) instead of npm install (which can pull new versions).
Log IDE task execution. VS Code doesn't log task execution by default. You need endpoint detection and response (EDR) tooling that monitors process creation. Configure your EDR to alert when VS Code spawns child processes, especially Node.js or Python interpreters.
The attackers chose VS Code because it's ubiquitous and trusted. Your developers open VS Code dozens of times per day. It has access to source code, credentials, and network connectivity. It's a better target than the application itself.
Treat your development environment as production infrastructure. Apply the same hardening, monitoring, and access controls. The next supply chain attack won't compromise your application — it will compromise the people who build it.



