StoatWaffle and threat in VS Code: opening a project could activate malware supply chain

In recent months a cyber-threat campaign has grown that combines very polished social engineering with unconventional techniques for developers: delivering malware through malicious projects of Visual Studio Code. Recent research points to a North Korean cluster known as Contagious Interview or WaterPlum, which is linking a family of malware baptized as StoatWaffle to this tactic directed against professionals of the open software ecosystem and, in particular, the critical sector and Web3.

The attack vector exploits a legitimate file in VS Code projects: tasks.json. When setting up a task with the option runOn: folderOpen, it is possible to cause remote code to run automatically when a developer opens the project folder in his editor. According to the NTT Security analysis, attackers have used that feature to start a chain of downloads from cloud services, so that the execution occurs without more interaction than to open the workspace in VS Code - a gesture that many consider harmless in their daily workflow ( NTT Security report).

StoatWaffle's infection chain is deliberately resilient. The first binary to be downloaded checks if Node.js exists on the victim machine; if not present, install it directly from the official website and then run a download that regularly consults an external server to get the next stage. This second stage acts in the same way: it reaches another endpoint, receives JavaScript code and runs it with Node.js, creating a discharge and execution pipe that can be maintained and updated from the attacker's infrastructure.

This modular design allows operators to choose between different capabilities depending on the objective. The analysis shows that StoatWaffle unfolds, on the one hand, a stealer that extracts credentials and data from browser extensions based on Chromium and Firefox, and that in macOS even reaches the iCloud Keychain database. On the other hand, the package can install a RAT(remote access Trojan) that communicates with command and control servers to run orders ranging from listing and uploading files to running shell commands or Node.js code supplied by attackers.

The choice of Node.js as a running environment is not casual: it offers portability between systems and the comfort of running complex scripts with few changes, making it easier for malware to be multi-platform and evolve quickly. In addition, the attackers have been refining their logistics: the first campaigns used domains in services such as Vercel to house the downloads, while more recent variants have moved to scripts hosted in GitHub Gist taking advantage of the confidence generated by public repositories and the ease of integrating content into legitimate projects in GitHub.

This development does not occur in the vacuum. WaterPlum is part of a wider series of operations aimed at the open source supply chain. Malicious npm packages have been detected that serve as malware distributors like PylangGhost ( KM Security analysis), and campaigns such as PolinRider that inserted JavaScript in hundreds of public repositories, altering projects to deploy loads such as BeaverTail, a well-known loader / stealer related to the same family of attackers ( PolinRider study).

Microsoft has documented how the authors of Contagious Interview get the first entry door through false recruitment processes that simulate real technical interviews. With a convincing script, candidates receive exercises and commands allegedly necessary for evaluation, and end up running instructions that compromise their machines. In many cases the objectives are not junior developers, but founders, CTOs and high-level engineers from the cryptographic world, professionals whose valuable access can allow key theft and exfiltration of digital assets ( Microsoft analysis).

The malware families that appear in these intrusions show an active and multifaceted ecosystem: from OtterCookie, designed to exfilter large amounts of information, to InvisibleFerret, a backdoor in Python, and FlexibleFerret (also called WeaselStore) that exists in Go and Python variants under names like GolangGhost and PylangGhost. In some cases, a first access achieved with OtterCookie ends up serving to download second stages like InvisibleFerret. Researchers have also documented intrusions where recognized repositories were manipulated by committed accounts to distribute encrypted payloads included in lockchain transactions, a technique used to camouflage the payload and make it difficult to detect ( commitment in Neutralinojs).

In front of this modus operandi, the software community responded with updates in the Visual Studio Code itself. Microsoft introduced in version 1.109 a global option that deactivates by default the automatic execution of tasks - task.allow AutomaticTasks- and prevented malicious repositories from overwriting that preference at the workspace level. The later versions added secondary warnings when a self-executable task is detected in a newly open work space, measures that seek to return control to the user and reduce the risk of silent executions ( notes to version 1.109, version 1.110).

Beyond VS Code, adversaries have exploited the very dynamic of trust between recruiter and candidate to convince targets to run commands in their terminal by means of false pages that mimic CAPTCHAs or video links. MacPaw researchers describe campaigns that use this pattern to inject commands into the clipboard and achieve its execution, with payloads adapted to both macOS and Windows ( Moonlock Lab analysis).

The phenomenon is not only technical: it also has legal and human edges. Recent U.S. sentences have sanctioned individuals involved in fraudulent recruitment schemes that facilitated the participation of North Korean workers in malicious software and fraud operations, stressing how recruitment and fraud networks serve as a bridge between the technical capabilities and geopolitical objectives of the states involved ( Department of Justice communiqué).

Joint investigations of security firms have mapped the infrastructure and playbook of these operations, stressing that so-called "IT workers" in the North Korean network go through selective processes and form an organized structure that pursues objectives such as income generation, intellectual property theft, extortion and support to other state groups ( Kudelski's research work).

For those who develop or collaborate in open source projects, the lesson is clear: default confidence is a vector of risk when it suits attackers. Maintain up-to-date tools, carefully review any instruction or script requested in technical evaluation processes, and disable the automatic execution of tasks are practical steps that can interrupt these chains. Companies should combine technical controls with specific training for key staff, as high profiles are often the most lucrative targets in these campaigns.

The pattern also reveals a strategic inclination: attackers prefer to take advantage of legitimate development mechanisms - repositories, package managers, evaluation tools - because they reduce suspicion and increase the success rate. Meanwhile, collaboration between security teams, open source platforms and development tool providers will be essential if these malicious practices are not to be standardized. Public reports and vendor updates - from NTT and Microsoft to independent teams that analyze Npm packages and compromised repositories - allow to track the evolution of these threats and apply informed countermeasures ( NTT Security, Microsoft, Abstract Security, Kudelski).

In short, StoatWaffle and associated campaigns are a reminder that open software and tools that accelerate development can also be used as attack vectors in the hands of sophisticated adversaries. The response should combine sensible configuration changes, proactive monitoring of supply chain and a security mentality that even questions the apparently familiar in the recruitment and technical collaboration processes.