North Korean threat actors exploit VS Code's auto-run tasks feature to deploy StoatWaffle malware through fake job interviews, targeting cryptocurrency professionals with sophisticated social engineering campaigns.
North Korean hackers have developed a sophisticated new attack method that exploits Visual Studio Code's auto-run tasks feature to deploy malware through fake job interviews, targeting cryptocurrency professionals and developers with unprecedented precision.
The campaign, attributed to the North Korean threat actor group tracked as WaterPlum (also known as Contagious Interview), represents a significant evolution in social engineering tactics. Since December 2025, these attackers have been distributing malware through malicious VS Code projects that automatically execute when opened, bypassing traditional security awareness.
How the VS Code Attack Works
The malware, dubbed StoatWaffle, leverages VS Code's "tasks.json" configuration file with the "runOn: folderOpen" option. This setting automatically triggers malicious code execution whenever any file in the project folder is opened in VS Code, regardless of the operating system being used.
"This task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system]," NTT Security explained in their recent analysis. "Though we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS."
The attack chain begins with the downloaded payload checking for Node.js installation. If absent, the malware downloads and installs Node.js from the official website before proceeding. It then launches a downloader that periodically polls external servers for next-stage payloads, creating a persistent infection vector.
Dual-Module Malware Architecture
StoatWaffle operates with two distinct modules that work in tandem:
Stealer Module: Captures credentials and extension data from web browsers, including Chromium-based browsers and Mozilla Firefox. On macOS systems, it additionally steals iCloud Keychain databases, providing comprehensive access to stored passwords and sensitive information.
Remote Access Trojan (RAT) Module: Communicates with command-and-control servers to receive and execute commands on infected hosts. The RAT capabilities include changing directories, enumerating files, executing Node.js code, uploading files, running shell commands, and self-termination.
"StoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules," the Japanese security vendor confirmed. "WaterPlum is continuously developing new malware and updating existing ones."
The Fake Interview Social Engineering Tactic
The attack begins with what appears to be legitimate recruitment efforts. North Korean threat actors conduct convincingly staged technical interviews that mirror authentic hiring processes. They approach targets primarily through LinkedIn, focusing on founders, CTOs, and senior engineers in cryptocurrency and Web3 sectors rather than junior developers.
These positions are specifically targeted because they typically have elevated access to company infrastructure and cryptocurrency wallets. The attackers persuade victims to run malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the "assessment" process.
A recent incident involved attackers unsuccessfully targeting the founder of AllSecure.io through a fake job interview, demonstrating the campaign's sophistication and persistence.
Broader Campaign Ecosystem
The StoatWaffle deployment is part of a larger, coordinated effort by North Korean hackers. The campaign includes:
- Malicious npm packages distributing PylangGhost malware, marking the first time this malware has been propagated through npm repositories
- PolinRider campaign that implanted malicious obfuscated JavaScript in hundreds of public GitHub repositories, including four repositories belonging to the Neutralinojs organization
- VS Code extension attacks that compromise developer systems through seemingly legitimate extensions
Evolution of Attack Techniques
Microsoft's analysis revealed that newer mutations of these VS Code projects have evolved beyond Vercel-based domains. Recent variants use GitHub Gist-hosted scripts to download and execute next-stage payloads, demonstrating the attackers' adaptability.
These projects are staged on GitHub, making them appear more legitimate to potential victims. The threat actors continuously refine their tradecraft, moving from one delivery mechanism to another as defenses improve.
Microsoft's Security Response
In response to these attacks, Microsoft implemented critical security improvements in VS Code. The January 2026 update (version 1.109) introduced a new "task.allowAutomaticTasks" setting that defaults to "off," preventing unintended execution of tasks defined in "tasks.json" when opening a workspace.
"The update also prevents the setting from being defined at the workspace level, so malicious repositories with their own .vscode/settings.json file should not be able to override the user (global) setting," Abstract Security noted.
Additionally, the February 2026 release (version 1.110) introduced a secondary prompt warning users when an auto-run task is detected in a newly opened workspace, providing an additional layer of protection after the Workspace Trust prompt.
Cross-Platform Campaign Expansion
Recent months have seen North Korean threat actors expand their operations to include coordinated malware campaigns targeting cryptocurrency professionals through multiple channels:
- LinkedIn social engineering
- Fake venture capital firms
- Fraudulent video conferencing links
- ClickFix-style fake CAPTCHA pages that trick victims into executing clipboard-injected commands
"The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows," MacPaw's Moonlock Lab reported.
Connection to Broader North Korean Operations
The VS Code attack campaign is part of North Korea's larger fraudulent IT worker scheme. The U.S. Department of Justice recently sentenced three men for their roles in furthering these operations, highlighting the international scope of these activities.
Flare and IBM X-Force's analysis revealed that IT workers in these schemes attend prestigious universities in North Korea and undergo rigorous interview processes themselves before joining. They are "considered elite members of North Korean society and have become an indispensable part of the overall North Korean government's strategic objectives."
These objectives include revenue generation, remote employment activity, theft of corporate and proprietary information, extortion, and supporting other North Korean hacking groups.
Protection and Mitigation Strategies
Organizations and individuals should implement several protective measures:
- Enable VS Code's automatic task protection by ensuring the "task.allowAutomaticTasks" setting is configured correctly
- Exercise extreme caution with unsolicited job offers, especially those requiring immediate technical assessments
- Verify GitHub repositories and npm packages before execution, particularly from unknown sources
- Implement network monitoring for unusual outbound connections to known malicious domains
- Educate development teams about these sophisticated social engineering tactics
The StoatWaffle campaign demonstrates how threat actors are increasingly targeting the software development supply chain and exploiting trusted development tools. By embedding malware delivery directly into interview tools and coding exercises that developers inherently trust, attackers lower suspicion and resistance during high-pressure situations.
As North Korean hackers continue to refine their techniques and expand their targeting, organizations must remain vigilant and implement comprehensive security measures that address both technical vulnerabilities and sophisticated social engineering tactics.
Comments
Please log in or register to join the discussion