Close Menu
    What's Hot

    M.P. Evans Group PLC (MPEVF) Discusses Responsible Production and Pricing Dynamics in Palm Oil Industry Transcript

    France 0 – 2 Spain

    Helping AI models to meet the real world | MIT News

    Facebook X (Twitter) Instagram
    Trending
    • M.P. Evans Group PLC (MPEVF) Discusses Responsible Production and Pricing Dynamics in Palm Oil Industry Transcript
    • France 0 – 2 Spain
    • Helping AI models to meet the real world | MIT News
    • Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
    • No More Trips to Walgreens? State Department Teases…
    • French and Spanish parties – Live Updates
    • Iran Escalates Its Attacks on Bahrain and Kuwait
    • Mikie Sherrill confronts FIFA in New Jersey turf battle – Live Updates
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

    adminBy adminMarch 23, 2026No Comments7 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
    Share
    Facebook Twitter LinkedIn Pinterest Email

    North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

    The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that’s distributed via malicious Microsoft Visual Studio Code (VS Code) projects.

    The use of VS Code “tasks.json” to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks leveraging the “runOn: folderOpen” option to automatically trigger its execution every time any file in the project folder is opened in VS Code.

    “This task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system],” NTT Security said in a report published last week. “Though we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS.”

    The downloaded payload first checks whether Node.js is installed in the executing environment. If it’s absent, the malware downloads Node.js from the official website and installs it. Subsequently, it proceeds to launch a downloader, which periodically polls an external server to fetch a next-stage downloader that exhibits identical behavior by reaching out to another endpoint on the same server and executing the received response as Node.js code.

    Cybersecurity

    StoatWaffle has been found to deliver two different modules –

    • A stealer that captures credentials and extension data stored in web browsers (Chromium-based browsers and Mozilla Firefox) and uploads them to a command-and-control (C2) server. If the compromised system runs on macOS, it also steals the iCloud Keychain database.
    • A remote access trojan (RAT) that communicates with the C2 server to fetch and execute commands on the infected host. The commands allow the malware to change the current working directory, enumerate files and directories, execute Node.js code, upload file, recursively search the given directory and list or upload files matching a certain keyword, run shell commands, and terminate itself.

    “StoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules,” the Japanese security vendor said. “WaterPlum is continuously developing new malware and updating existing ones.”

    The development coincides with various campaigns mounted by the threat actor targeting the open-source ecosystem –

    • A set of malicious npm packages that distribute the PylangGhost malware, marking the first time the malware has been propagated via npm packages.
    • A campaign known as PolinRider has implanted a malicious obfuscated JavaScript payload in hundreds of public GitHub repositories that culminates in the deployment of a new version of BeaverTail, a known stealer and downloader malware attributed to Contagious Interview.
    • Among the compromises are four repositories belonging to the Neutralinojs GitHub organization. The attack is said to have compromised the GitHub account of a long-time neutralinojs contributor with organization-level write access to force-push JavaScript code that retrieves encrypted payloads in Tron, Aptos, and Binance Smart Chain (BSC) transactions to download and run BeaverTail. The victims are believed to have been infected via a malicious VS Code extension or an npm package.

    Microsoft, in an analysis of Contagious Interview this month, said the threat actors achieve initial access to developer systems through “convincingly staged recruitment processes” that mirror legitimate technical interviews, ultimately persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment.

    In some cases, targets are approached on LinkedIn. However, the individuals chosen for this social engineering attack are not junior developers, but rather founders, CTOs, and senior engineers in the cryptocurrency or Web3 sector, who are likely to have elevated access to the company’s tech infrastructure and cryptocurrency wallets. A recent incident involved the attackers unsuccessfully targeting the founder of AllSecure.io via a fake job interview.

    Some of the key malware families deployed as part of these attack chains include OtterCookie (a backdoor capable of extensive data theft), InvisibleFerret (a Python-based backdoor), and FlexibleFerret (a modular backdoor implemented in both Go and Python). While InvisibleFerret is known to be typically delivered via BeaverTail, recent intrusions have been found to distribute the malware as a follow-on payload, after leveraging initial access obtained through OtterCookie.

    It’s worth mentioning here that FlexibleFerret is also referred to as WeaselStore. Its Go and Python variants go by the monikers GolangGhost and PylangGhost, respectively.

    In a sign that the threat actors are actively refining their tradecraft, newer mutations of the VS Code projects have eschewed Vercel-based domains for GitHub Gist-hosted scripts to download and execute next-stage payloads that ultimately lead to the deployment of FlexibleFerret. These VS Code projects are staged on GitHub.

    “By embedding targeted malware delivery directly into interview tools, coding exercises, and assessment workflows developers inherently trust, threat actors exploit the trust job seekers place in the hiring process during periods of high motivation and time pressure, lowering suspicion and resistance,” the tech giant said.

    In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (version 1.109) that introduces a new “task.allowAutomaticTasks” setting, which defaults to “off” in order to improve security and prevent unintended execution of tasks defined in “tasks.json” when opening a workspace.

    “The update also prevents the setting from being defined at the workspace level, so malicious repositories with their own .vscode/settings.json file should not be able to override the user (global) setting,” Abstract Security said. 

    “This version and the recent February 2026 (version 1.110) release also introduce a secondary prompt that warns the user when an auto-run task is detected in a newly opened workspace. This acts as an additional guard after a user accepts the Workspace Trust prompt.”

    In recent months, North Korean threat actors have also been engaging in a coordinated malware campaign targeting cryptocurrency professionals through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links. The activity shares overlap with clusters tracked as GhostCall and UNC1069.

    “The attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal,” MacPaw’s Moonlock Lab said. “The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.”

    Cybersecurity

    The findings come as the U.S. Department of Justice (DoJ) announced the sentencing of three men — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — for their roles in furthering North Korea’s fraudulent information technology (IT) worker scheme in violation of international sanctions. All three individuals previously pleaded guilty in November 2025.

    Phagnasay and Salazar were both sentenced to three years of probation and a $2,000 fine. They were also ordered to forfeit the illicit proceeds gained by participating in the wire fraud conspiracy. Travis was sentenced to one year in prison and ordered to forfeit $193,265, the amount earned by North Koreans by using his identity.

    “These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government — all in return for what to them seemed like easy money,” Margaret Heap, U.S. attorney for the Southern District of Georgia, said in a statement.

    Last week, Flare and IBM X-Force published a detailed look at the IT worker operation and its internal structure, while highlighting how IT workers attend prestigious universities in North Korea and go through a rigorous interview process themselves before joining the scheme.

    They are “considered elite members of North Korean society and have become an indispensable part of the overall North Korean government’s strategic objectives,” the companies noted. “These objectives include, but are not limited to, revenue generation, remote employment activity, theft of corporate and proprietary information, extortion, and providing support to other North Korean groups.”

    abuse AutoRun Code deploy hackers Korean Malware North StoatWaffle tasks
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleHundreds of NYU instructors are on strike—even after spending spring break at the negotiating table
    Next Article Nvidia CEO Jensen Huang says ‘I think we’ve achieved AGI’
    admin
    • Website

    Related Posts

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    July 14, 2026

    Microsoft Patches a Record 570 Security Flaws – Krebs on Security

    July 14, 2026

    SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

    July 14, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    M.P. Evans Group PLC (MPEVF) Discusses Responsible Production and Pricing Dynamics in Palm Oil Industry Transcript

    France 0 – 2 Spain

    Helping AI models to meet the real world | MIT News

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by