Hijacked npm/Go packages weaponise VS Code folderOpen task autorun → Python infostealer

JFrog Security Research disclosed two compromised npm packages (html-to-gutenberg v4.2.11, fetch-page-assets v1.2.9, uploaded 2026-05-25) plus 16 malicious Go packages carrying an identical chain (JFrog Security Research, 2026-06-24 · The Hacker News, 2026-06-29). A hidden eslint-check task in .vscode/tasks.json is configured with runOn: "folderOpen", so opening the project as a trusted workspace in VS Code or Cursor auto-executes the payload — deliberately sidestepping npm v12's lifecycle-script hardening that blocked preinstall/postinstall scripts by default. The payload (disguised as a fa-solid-400.woff2 font) pulls AES-encrypted stages from blockchain transaction data via TronGrid and Aptos APIs (a takedown-resilient dead-drop), then runs a cross-platform Python infostealer targeting browser stores, password managers, crypto wallets, and cloud-provider configs (AWS/Azure/GCP). Mapped to T1195.001, T1059.006, T1020.

Why it matters to us: Detection teams that added EDR coverage for node.exe→python chains under npm install will miss this — the parent is code.exe→python triggered by opening a folder. Add a CI/CD repository-scan rule for .vscode/tasks.json containing runOn: "folderOpen", and treat dependency-shipped .vscode/ directories as untrusted; enforce VS Code Workspace Trust so untrusted folders cannot auto-run tasks.

An unidentified actor gained unauthorised access to Brazil's national Cell Broadcast emergency-alert platform overnight 19–20 June 2026 and sent at least ten unauthorised "Extreme Alert" notifications — the highest-severity tier, reserved for imminent-danger events — to roughly 30 million phones across seven states (The Next Web, 2026-06-20). The Ministry of Integration and Regional Development took the platform offline at 01:30 on 20 June after confirming the intrusion; Brazil's Federal Police opened an investigation and no actor has been formally attributed (a person who claimed responsibility on X had their posts removed, but police have not confirmed the claim). The specific access vector — compromised administrative credential, API key, or platform vulnerability — has not been disclosed. Cell Broadcast is architecturally designed to bypass user opt-outs and to activate devices that are on silent, which is exactly what makes administrative-plane control of it so consequential. [SINGLE-SOURCE] on the primary technical detail — see § 7.

Why it matters to us: This is a demonstrator for a risk class, not a Brazil-specific story. The EU Electronic Communications Code (Directive 2018/1972) mandates Cell Broadcast-based public-warning systems across member states, and Switzerland's Federal Office for Civil Protection (BABS) runs the same technology as ALERTSWISS. The incident points at the administration interface — privileged access to the broadcast console — rather than radio-side spoofing, so operators should prioritise MFA and PAM on alert-platform admin accounts, least-privilege on broadcast-issuing roles, and anomaly detection on outbound broadcast commands (volume, severity tier, off-hours issuance). A false high-severity alert is both a public-safety and a public-trust event.

The polyfill[.]io CDN domain — seized and weaponised in the June 2024 supply-chain attack that affected more than 100,000 sites — became active again in late May 2026 and began answering with HTTP 401 authentication challenges, which browsers render as native credential dialog boxes (BleepingComputer, 2026-06-05). Any site still loading a <script src="…polyfill[.]io…"> tag — a failure documented across many organisations since 2024 — now prompts visitors for credentials in a dialog that appears to originate from the trusted site. Toshiba published a warning on 2026-06-02 telling users to click Cancel without entering anything (Toshiba, 2026-06-02); Muji issued a parallel notice stating it had not confirmed unauthorised access or data leakage (BleepingComputer, 2026-06-05). This is mechanically distinct from the 2024 redirect-to-malicious-JavaScript attack: the harm here is HTTP-401-induced credential phishing, not script injection, so neither party has confirmed exfiltration — but both advised affected users to change passwords. Maps to T1195.002 (Compromise Software Supply Chain). Why it matters to us: The exposure is entirely a function of stale third-party references, which most organisations underestimate. Grep all rendered HTML, CMS templates, and CDN-inclusion lists for polyfill[.]io with any subdomain or path; replace with the legitimate polyfill.com / polyfill.top mirrors or self-hosted polyfills, and enforce Subresource Integrity (SRI) on all third-party scripts. Web-proxy/SWG logs showing 401 responses from polyfill[.]io pinpoint pages that still load the script.