A new malware strain called StoatWaffle, linked to the North Korea-attributed 'Contagious Interview' campaign, exploits VS Code's 'runOn:folderOpen' task configuration to auto-execute malicious code when developers open a seemingly legitimate blockchain-themed project repository. Built on Node.js, StoatWaffle is modular and includes a loader, credential stealer, and RAT that communicates with a C2 server. It targets browser credentials across Chromium and Firefox, and macOS Keychain databases. The campaign operator WaterPlum (Team 8 sub-cluster) shifted to StoatWaffle around December 2025, evolving from earlier npm package attacks and fake interview lures to weaponized developer environments.
Sort: