North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean Hackers Deploy Advanced StoatWaffle Malware via Malicious VS Code Projects: A Deep Dive into the Contagious Interview Campaign

In a sophisticated and alarming development in the cybersecurity landscape, North Korean threat actors have unleashed a new modular malware family known as StoatWaffle, distributed through malicious Microsoft Visual Studio Code (VS Code) projects. This campaign, part of the broader Contagious Interview operation, represents a significant evolution in the tactics employed by the notorious WaterPlum group, also tracked as PurpleBravo. The malware’s deployment via VS Code tasks.json files marks a concerning shift in how attackers exploit trusted development environments to infiltrate systems and steal sensitive data.

The Rise of StoatWaffle: A Modular Threat

StoatWaffle is a Node.js-based malware that operates in two primary modes: a stealer and a remote access trojan (RAT). The stealer module is designed to harvest credentials and browser data from Chromium-based browsers and Mozilla Firefox, uploading this information to a command-and-control (C2) server. On macOS systems, it goes a step further by targeting the iCloud Keychain database. The RAT module, on the other hand, provides attackers with extensive control over infected systems, enabling them to execute commands, upload files, and even terminate the malware itself.

The VS Code Attack Vector: A New Frontier

The use of VS Code as a delivery mechanism is a relatively new tactic adopted by North Korean hackers since December 2025. By leveraging the “tasks.json” file and the “runOn: folderOpen” option, the malware automatically executes whenever a file in the project folder is opened in VS Code. This approach ensures that the malware runs seamlessly across different operating systems, including Windows, macOS, and Linux, making it a versatile and potent threat.

The Contagious Interview Campaign: Social Engineering at Scale

The Contagious Interview campaign is a masterclass in social engineering, targeting developers through fake job interviews and coding assessments. Attackers pose as recruiters, often approaching candidates on platforms like LinkedIn, and lure them into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket. The targets are not junior developers but rather senior engineers, founders, and CTOs in the cryptocurrency and Web3 sectors, who are likely to have elevated access to sensitive corporate and financial resources.

A Broader Ecosystem of Malware

StoatWaffle is just one piece of a larger puzzle. The North Korean threat actors have been actively deploying other malware families, including OtterCookie, a backdoor capable of extensive data theft; InvisibleFerret, a Python-based backdoor; and FlexibleFerret, a modular backdoor implemented in both Go and Python. These malware families are often delivered through malicious npm packages, compromised GitHub repositories, and even fake VS Code extensions.

The Human Cost: Fake IT Workers and International Sanctions

The campaign is part of a broader fraudulent IT worker scheme orchestrated by North Korea to circumvent international sanctions and generate illicit revenue. In a recent case, three men were sentenced for their roles in furthering this scheme, highlighting the human cost of these operations. The IT workers involved are often highly educated individuals from prestigious North Korean universities, who undergo rigorous training before joining the scheme. They are considered elite members of North Korean society, playing a critical role in the country’s strategic objectives, including revenue generation, data theft, and supporting other North Korean cyber operations.

Mitigation and Defense: What You Can Do

In response to the growing threat, Microsoft has introduced mitigations in the January 2026 update (version 1.109) of VS Code. These include a new “task.allowAutomaticTasks” setting, which defaults to “off,” and additional prompts to warn users when an auto-run task is detected. However, the evolving nature of these attacks underscores the need for continuous vigilance and proactive defense measures.

Conclusion: A Call to Action

The deployment of StoatWaffle and the broader Contagious Interview campaign represent a significant escalation in the cyber threat landscape. As North Korean hackers continue to refine their tactics and exploit trusted platforms, it is imperative for organizations and individuals to stay informed, adopt robust security practices, and remain vigilant against these sophisticated threats. The stakes have never been higher, and the time to act is now.

Tags: North Korean hackers, StoatWaffle malware, Contagious Interview campaign, VS Code malware, WaterPlum group, PurpleBravo, OtterCookie, InvisibleFerret, FlexibleFerret, npm packages, GitHub repositories, fake job interviews, social engineering, cryptocurrency theft, IT worker fraud, international sanctions, cybersecurity threats, modular malware, remote access trojan, stealer malware, Node.js malware, macOS malware, Windows malware, Linux malware, Microsoft VS Code, task.json, runOn folderOpen, command-and-control server, data theft, cyber espionage, North Korea sanctions, fraudulent IT workers, elite hackers, strategic objectives, revenue generation, data theft, extortion, cyber operations, vigilance, proactive defense, cybersecurity landscape, escalation, sophisticated threats, time to act.

Viral Sentences:

• “North Korean hackers unleash StoatWaffle malware via VS Code projects!”
• “Contagious Interview campaign targets senior engineers with fake job offers!”
• “VS Code becomes a weapon in North Korea’s cyber arsenal!”
• “Stealer and RAT modules: StoatWaffle’s dual threat to your data!”
• “Fake IT workers: North Korea’s elite hackers bypass sanctions!”
• “Microsoft patches VS Code to stop automatic malware execution!”
• “Cryptocurrency professionals under siege by North Korean cyber operations!”
• “The human cost of North Korea’s fraudulent IT worker scheme!”
• “Stay vigilant: North Korean hackers refine their tradecraft!”
• “The stakes have never been higher in the cyber threat landscape!”

,