North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

2026-03-23

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

This article covers a new malware campaign by North Korean threat actors (WaterPlum/Contagious Interview) using malicious VS Code projects to deploy the StoatWaffle malware.

•StoatWaffle is distributed via VS Code 'tasks.json' using the 'runOn: folderOpen' option to auto-execute malware when a project folder is opened
•The malware first checks for Node.js, installs it if absent, then launches a downloader that polls an external server for next-stage payloads
•StoatWaffle includes a Stealer module (browser credentials, iCloud Keychain on macOS) and a RAT module with full remote command execution
•Related campaigns include malicious npm packages spreading PylangGhost, and the PolinRider campaign injecting BeaverTail into hundreds of public GitHub repos including Neutralinojs
•

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture