Malware - North Korean Hackers Deploy StoatWaffle via VS Code

What Happened

North Korean hackers, known for their Contagious Interview campaign, have recently adopted a new tactic to distribute StoatWaffle malware. This malware is embedded within malicious Microsoft Visual Studio Code (VS Code) projects. By utilizing the tasks.json file in VS Code, these hackers can execute the malware automatically whenever a project folder is opened. This method has been in use since December 2025, marking a significant evolution in their attack strategies.

The malware operates by first checking if Node.js is installed on the victim's machine. If it's not found, the malware downloads and installs it from the official Node.js website. Once installed, it connects to an external server to download additional malicious payloads, which can include credential stealers and remote access tools. This approach allows the attackers to maintain control over infected machines and extract sensitive information.

Who's Being Targeted

The primary targets of this campaign are developers, particularly those involved in cryptocurrency and Web3 sectors. The attackers use social engineering tactics, often posing as recruiters conducting technical interviews. This method is particularly effective as it exploits the trust developers place in legitimate hiring processes. By targeting experienced professionals, they aim to gain access to valuable corporate infrastructure and cryptocurrency wallets.

Recent incidents have shown that even high-profile individuals, such as founders and CTOs, have been approached through fake job interviews. This indicates the attackers are not only looking for easy targets but are also sophisticated in their approach, leveraging social engineering to bypass traditional security measures.

Signs of Infection

Victims of the StoatWaffle malware may notice several signs of infection. These can include unexpected behavior from their web browsers, such as unusual pop-ups or slow performance due to the malware's background activities. Additionally, users may find that their credentials or sensitive information have been compromised, particularly if they notice unauthorized transactions or account access.

Another indicator of infection is the presence of new applications or scripts that were not intentionally installed by the user. The malware's ability to download additional payloads means that infections can evolve, leading to more severe consequences over time.

How to Protect Yourself

To safeguard against these types of attacks, developers should be cautious when interacting with job offers and technical assessments. Always verify the legitimacy of the source before executing any code or downloading packages. Additionally, keeping software like VS Code and Node.js updated can help mitigate vulnerabilities that attackers might exploit.

Microsoft has introduced new security features in recent updates to VS Code, including the task.allowAutomaticTasks setting, which is turned off by default. This change aims to prevent the automatic execution of tasks from malicious repositories. Users are encouraged to enable this setting and remain vigilant against suspicious projects or extensions to protect their systems from malware like StoatWaffle.