North Korea’s notorious Lazarus Group is orchestrating a sophisticated supply chain attack through a campaign dubbed “Fake Font,” cunningly leveraging fake job interviews and compromised GitHub repositories to deploy malware onto software developers’ systems. This campaign, which has been active for over 100 days, has recently escalated, with analysts identifying 19 malicious repositories. The ultimate goal is to distribute the InvisibleFerret Python backdoor, designed to exfiltrate cryptocurrency wallets, browser credentials, and establish persistent access.
The attack commences on professional networking platforms like LinkedIn, where deceptive recruiters, posing as representatives from cryptocurrency and fintech firms, reach out to targeted developers. These recruiters express admiration for the developers’ GitHub profiles and then request them to complete a seemingly simple coding assessment. The developers are then provided with links to repositories that meticulously mimic legitimate projects, complete with standard web project structures, React frontends, Node.js backends, comprehensive documentation, and even Continuous Integration/Continuous Deployment (CI/CD) configurations.
The “Fake Font” Malware Infection Mechanism
The “Fake Font” campaign exploits trust by making its malicious repositories appear entirely genuine. According to researchers, the attack leverages a compromised feature within Microsoft Visual Studio Code, the popular integrated development environment. Specifically, the campaign manipulates VS Code’s task automation functionality, a feature developers commonly use for running tests and building projects.
Within each malicious repository, an inconspicuous file named .vscode/tasks.json is embedded. This file is configured to execute automatically the moment a developer opens the repository folder in VS Code. This automated execution is the linchpin of the infection mechanism.
Disguised Malware and Stealthy Deployment
The core of the infection relies on disguising JavaScript malware as web font files, using the common .woff2 extension. When the malicious task is triggered by VS Code, it attempts to run this fake font file through Node.js. This initiates a multi-stage loading process that deploys the malware while remaining largely undetected by the user.
Crucially, the presentation settings within the task configuration are designed to suppress any output windows, rendering the malicious activity nearly invisible to the developer. This stealthy approach makes the “Fake Font” campaign particularly insidious.
What makes this sophisticated operation particularly dangerous is its exploitation of the inherent trust developers place in open-source repositories and established development tools. The structural integrity and apparent authenticity of the repositories, including the presence of font files tailored for web applications like Font Awesome icons, provide no immediate visual cues of compromise. Developers cloning these repositories for a purported job assessment are unknowingly installing malicious code.
This campaign underscores the evolving tactics employed by threat actors to circumvent security measures. By skillfully combining social engineering tactics, exploiting supply chain vulnerabilities, and leveraging specific features of development tools, the Lazarus Group effectively targets a high-value demographic with access to sensitive systems and valuable cryptocurrency assets. Security teams are advised to immediately review their organizations’ GitHub repository access permissions and VS Code configurations to detect any potential compromises stemming from this ongoing “Fake Font” campaign.
The continued intensity of this sophisticated attack suggests a sustained effort by Lazarus Group to gain access to lucrative digital assets. Future iterations of this campaign may involve further obfuscation techniques or targeting of different development tools. Organizations should remain vigilant for any new variants and consider implementing more stringent code review processes for all third-party code, especially in the context of recruitment assessments.