This post is also available in:
עברית (Hebrew)
Open-source platforms have become essential tools for software developers, but they are also increasingly being used as delivery channels for sophisticated cyberattacks. Security researchers are now tracking a new campaign in which malicious code is hidden inside seemingly legitimate GitHub repositories, targeting developers through compromised project files and automated development tools.
The campaign, known as “Fake Font,” is reportedly linked to a broader operation that has previously used fake job interviews and software development tasks to compromise victims. In this latest variation, attackers distribute repositories that appear harmless but contain hidden malicious functionality designed to execute automatically inside Visual Studio Code.
According to Cyber News, the attack takes advantage of the platform’s task automation system. When a developer opens the infected project, predefined task configurations can trigger scripts without drawing immediate attention. This allows malware to begin executing as part of what appears to be a normal development workflow. Because developers routinely clone repositories and run build tasks, the approach blends into standard software engineering behavior.
Once activated, the infection chain reportedly deploys a Python-based backdoor capable of operating across Windows, macOS, and Linux systems. The malware focuses heavily on credential theft and cryptocurrency targeting. According to researchers, it can extract stored browser credentials, log keystrokes, and monitor clipboard activity for cryptocurrency wallet addresses. The clipboard manipulation component allows attackers to silently replace copied wallet addresses with attacker-controlled ones during transactions.
The malware also targets more than a dozen browser-based cryptocurrency wallet extensions, attempting to harvest authentication data and private access credentials directly from infected systems.
From a cybersecurity and defense perspective, the campaign highlights growing concern around software supply-chain attacks and developer-focused intrusion methods. Developers often operate with elevated permissions and direct access to sensitive infrastructure, making compromised coding environments particularly valuable to attackers.
The use of trusted platforms like GitHub also complicates detection. Instead of relying on traditional phishing attachments or suspicious downloads, attackers embed malicious logic inside real development environments where users expect to execute code routinely.
The broader trend reflects how threat actors are increasingly targeting the software ecosystem itself, focusing not only on end users but on the tools and workflows used to build modern digital infrastructure.
