Hijacked npm and Go Packages Deploy Python Infostealer via VS Code Tasks
What Happened — Researchers identified two npm modules and a collection of Go packages that have been compromised to pull down a Python‑based information‑stealer. The malicious code is executed through VS Code task definitions, allowing the payload to run on Windows, Linux and macOS hosts without using the typical npm lifecycle scripts.
Why It Matters for Compliance & Audit Readiness
- This supply‑chain intrusion is a textbook example of why SOC 2 vendor‑management controls (CC6.1 – Third‑Party Risk Management) must be continuously monitored and evidenced.
- Without real‑time visibility into third‑party package provenance, organizations cannot demonstrate due diligence during an audit, leaving the “Control Environment” and “Risk Management” criteria exposed.
- Verisq’s Vendor Risk capability provides automated provenance checks and audit‑ready evidence that a compromised package was detected before it could affect production.
Who Is Affected – Software development teams, DevOps pipelines, and any organization that consumes open‑source npm or Go libraries (technology, finance, healthcare, retail, etc.).
Recommended Actions
- Inventory all npm and Go dependencies used in production and map them to SOC 2 vendor‑risk controls.
- Enable automated SBOM generation and integrate a continuous monitoring solution that flags newly published or updated packages.
- Review and tighten VS Code task execution policies; restrict task runner permissions to the minimum required.
- Document the detection process and evidence collection to satisfy SOC 2 audit requirements.
Source: The Hacker News
Technical Notes – The attack bypasses npm v12’s hardened lifecycle scripts, leveraging VS Code’s tasks.json to launch a Python stealer that harvests credentials, browser data, and system information. No specific CVE is cited; the vector is a third‑party dependency compromise.