"The use of VS Code 'tasks.json' to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, leveraging the 'runOn: folderOpen' option to automatically trigger its execution every time any file in the project folder is opened in VS Code."
"The downloaded payload first checks whether Node.js is installed in the executing environment. If it's absent, the malware downloads Node.js from the official website and installs it."
"StoatWaffle has been found to deliver two different modules - a stealer that captures credentials and extension data stored in web browsers and a remote access trojan (RAT) that communicates with the C2 server to fetch and execute commands on the infected host."
North Korean threat actors, identified as WaterPlum, utilize the StoatWaffle malware family through malicious Microsoft Visual Studio Code projects. This tactic involves using the 'tasks.json' file to trigger malware execution upon opening project folders. The malware checks for Node.js installation, downloading it if absent, and then launches a downloader to fetch additional payloads. StoatWaffle delivers two modules: a credential stealer for web browsers and a remote access trojan that executes commands on infected systems, including file management and code execution.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]