North Korea-linked threat actors abuse VS Code auto-run to spread StoatWaffle malware

North Korea-linked threat actors use VS Code auto-run tasks to spread StoatWaffle malware via malicious projects that execute on folder open.

North Korea-linked threat actor Team 8 behind the Contagious Interview campaign is spreading StoatWaffle malware through malicious Microsoft Visual Studio Code projects. Since late 2025, they have abused the “tasks.json” auto-run feature in Microsoft Visual Studio Code to execute code whenever a folder is opened, downloading payloads from the web across operating systems, making this tactic both stealthy and effective.

“In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle.” reads the report published by NTT Security. “Team 8 leverages a project related to blockchain as a decoy. This malicious repository contains .vscode directory that contains tasks.json file. If a user opens and trusts this malicious reporitory with VSCode, it reads this tasks.json file.”

The task downloads payloads from Vercel and runs them via cmd.exe, starting with a simple downloader. It then installs Node.js if missing and fetches additional files, enabling further malware execution across operating systems.

The StoatWaffle malware uses a multi-stage infection chain. It begins with a Node.js loader that repeatedly connects to a command-and-control (C2) server and executes any code it receives. A second downloader is then deployed, continuing this communication and quickly delivering additional malware modules.

One module acts as a stealer, collecting credentials from browsers, extension data, installed software details, and even macOS Keychain data, then sending everything back to the attacker. It can also access Windows data through WSL environments.

“Stealer module thefts credentials stored on Web browsers and designated browser extension data and uploads them to C2 server. If the victim browser was Chromium family, it steals browser extension data (Appendix) besides stored credentials. If the victim browser was Firefox, it steals browser extension data besides stored credentials. It reads extensions.json and gets the list of browser extension names, then checks whether designated keyword is included.” continues the report. “If the victim OS was macOS, it also steals Keychain database.”

Another module works as a remote access trojan (RAT), allowing attackers to run commands on the infected system and receive results. Overall, the malware enables full data theft and remote control of compromised devices.

“StoatWaffle is a modular malware implemeted by Node.js and it has Stealer and RAT modules. WaterPlum is continuously developing new malware and updating existing ones. We think it necessary to pay close attention to their activities.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, StoatWaffle)