North Korean Hackers Exploit VS Code Auto-Run Tasks to Distribute StoatWaffle Malware
Recent developments in cybersecurity have revealed that North Korean threat actors, identified as part of the Contagious Interview campaign, are leveraging a new method to distribute malware known as StoatWaffle. This malware is being disseminated through malicious Microsoft Visual Studio Code (VS Code) projects, marking a significant evolution in the tactics employed by these cybercriminals.
The Emergence of StoatWaffle
The use of VS Code’s “tasks.json” file to deploy malware is a relatively recent strategy adopted by these threat actors since December 2025. This approach utilizes the “runOn: folderOpen” option, which automatically triggers the execution of malicious code whenever any file within the project folder is opened in VS Code. According to NTT Security, this task is configured to download data from a web application regardless of the operating system in use, although the assumption is that Windows is the primary target.
The initial payload checks for the presence of Node.js in the executing environment. If Node.js is not installed, the malware will download and install it from the official website. Following this, it launches a downloader that periodically polls an external server to retrieve a next-stage downloader, executing the received response as Node.js code.
Functionality of StoatWaffle
StoatWaffle is modular, comprising two primary components:
-
Credential Stealer: This module captures credentials and extension data from web browsers, specifically targeting Chromium-based browsers and Mozilla Firefox. If the compromised system operates on macOS, it can also extract the iCloud Keychain database.
-
Remote Access Trojan (RAT): This component communicates with a command-and-control (C2) server to execute commands on the infected host. The commands allow the malware to change directories, enumerate files, execute Node.js code, upload files, and terminate itself.
NTT Security has noted that WaterPlum, the group behind StoatWaffle, is continuously developing new malware and updating existing ones.
Broader Campaigns Targeting the Open-Source Ecosystem
The emergence of StoatWaffle coincides with various campaigns targeting the open-source ecosystem. For instance, malicious npm packages have been identified that distribute PylangGhost malware, marking a notable shift in the propagation methods for this malware family. Additionally, the PolinRider campaign has implanted malicious JavaScript payloads in numerous public GitHub repositories, leading to the deployment of a new version of BeaverTail, a known stealer and downloader malware linked to the Contagious Interview campaign.
Notably, four repositories belonging to the Neutralinojs GitHub organization were compromised. The attack involved a long-time contributor’s GitHub account, which had organization-level write access, allowing the attackers to push JavaScript code that retrieves encrypted payloads from various blockchain transactions.
Social Engineering Tactics
Microsoft’s analysis of the Contagious Interview campaign highlights that threat actors gain initial access to developer systems through convincingly staged recruitment processes. These processes mimic legitimate technical interviews, persuading victims to execute malicious commands or packages hosted on platforms like GitHub, GitLab, or Bitbucket.
Targets are often senior professionals, such as founders and CTOs in the cryptocurrency or Web3 sectors, who possess elevated access to their company’s technological infrastructure. A recent incident involved an unsuccessful attempt to target the founder of AllSecure.io through a fake job interview.
Evolving Malware Delivery Mechanisms
The sophistication of these attacks is evident in the evolution of malware delivery mechanisms. Recent mutations of the VS Code projects have shifted from Vercel-based domains to GitHub Gist-hosted scripts, which download and execute next-stage payloads leading to the deployment of FlexibleFerret, another malware variant.
By embedding malware delivery directly into trusted interview tools and coding exercises, threat actors exploit the inherent trust job seekers place in the hiring process. This tactic reduces suspicion and resistance, particularly during high-pressure situations.
Mitigation Efforts by Microsoft
In response to the abuse of VS Code tasks, Microsoft introduced a mitigation in the January 2026 update, which includes a new “task.allowAutomaticTasks” setting that defaults to “off.” This change aims to enhance security and prevent unintended execution of tasks defined in “tasks.json” when opening a workspace.
Furthermore, the update prevents malicious repositories from overriding user settings at the workspace level. A secondary prompt has also been introduced to warn users when an auto-run task is detected in a newly opened workspace, serving as an additional layer of protection.
Ongoing Threats and Legal Actions
In recent months, North Korean threat actors have expanded their malware campaigns to target cryptocurrency professionals through social engineering tactics on LinkedIn, fake venture capital firms, and fraudulent video conferencing links. These activities overlap with clusters tracked as GhostCall and UNC1069.
The U.S. Department of Justice recently announced the sentencing of three individuals involved in facilitating North Korea’s fraudulent IT worker scheme, which violated international sanctions. The sentences highlight the ongoing challenges posed by North Korean cyber operations and their implications for global cybersecurity.
As the landscape of cyber threats continues to evolve, the tactics employed by North Korean hackers underscore the need for heightened vigilance and robust security measures within the tech community.
For more detailed insights, refer to the reporting by thehackernews.com.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
