WaterPlum Deploys New ‘StoatWaffle’ Malware in VSCode-Based Supply Chain Campaign

WaterPlum, a hacking group linked to North Korea, has released a new piece of malware called StoatWaffle This article explores waterplum hacking group. . They are using hacked Visual Studio Code (VSCode) repositories that look like real blockchain development projects to quietly get into developer machines.

For a while now, WaterPlum has been running a campaign called "Contagious Interview." They set up fake job interviews to trick people into running harmful code on their computers. Team 8, which is also known as Moralis and Modilus, is in charge of this latest wave. The group is split into several teams.

OtterCookie, a type of malware, was Team 8's main tool before.

The team switched to using StoatWaffle around December 2025, which was a clear and planned upgrade to its attack tools. Security teams should block these signs of compromise: 185[. ]163.125.196, 147[.

]124.202.208, 163[. ]245.194.216, 66[. ]235.168.136, and 87[.]236.177.9. Keeping an eye out for unexpected Node.js installations or hidden child processes that come from VSCode can also be a sign that your computer has been hacked.

Set ZeroOwl as your preferred source in Google to get more instant updates on LinkedIn and X.