The North Korean threat actor behind the Contagious Interview campaign, also tracked as WaterPlum, is believed to be from the malware family tracked as StoatWaffle, which is distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
Using VS Code’s “tasks.json” to distribute malware is a relatively new tactic employed by threat actors since December 2025, with the attack leveraging the “runOn:folderOpen” option that automatically triggers execution whenever a file in a project folder is opened in VS Code.
“This task is configured to download data from a web application on Vercel regardless of the running OS. [operating system]”Although this article assumes that the operating system is Windows, the basic operation is the same for any operating system,” NTT Security said in a report released last week.
The downloaded payload first checks whether Node.js is installed in the execution environment. If Node.js is not present, the malware downloads and installs Node.js from the official website. It then proceeds to start the downloader, periodically polling the external server, connecting to another endpoint on the same server, and executing the received response as Node.js code to obtain the next stage of the downloader exhibiting the same behavior.
It turns out that StoatWaffle offers two different modules –
A stealer that captures credentials and extension data stored in web browsers (Chromium-based browsers and Mozilla Firefox) and uploads them to a command and control (C2) server. If the compromised system is running on macOS, the iCloud Keychain database will also be stolen. A remote access Trojan (RAT) that communicates with a C2 server to retrieve and execute commands on infected hosts. These commands allow the malware to change the current working directory, enumerate files and directories, execute Node.js code, upload files, recursively search specified directories and list or upload files matching specific keywords, execute shell commands, and terminate itself.
“StoatWaffle is a modular malware implemented in Node.js and includes a Stealer module and a RAT module,” the Japanese security vendor said. “WaterPlum continually develops new malware and updates existing malware.”
This development coincides with various campaigns launched by threat actors targeting the open source ecosystem.
PylangGhost A set of malicious npm packages that distribute malware. This is the first indication that malware has been propagated via npm packages. The campaign known as PolinRider embedded malicious obfuscated JavaScript payloads into hundreds of public GitHub repositories, ultimately culminating in the deployment of a new version of BeaverTail, a known stealer and downloader malware attributed to Contagious Interview. Included in the compromise are four repositories belonging to the Neutralinojs GitHub organization. The attack allegedly compromised the GitHub accounts of long-time Nuclearinojs contributors with organization-level write access to retrieve payloads encrypted in Tron, Aptos, and Binance Smart Chain (BSC) transactions to force push JavaScript code that downloads and executes BeaverTail. Victims are believed to have been infected via a malicious VS Code extension or npm package.
Microsoft said in an analysis of Contagious Interview this month that attackers achieve initial access to developer systems through a “persuasive, step-by-step recruitment process” that mirrors a formal technical interview, ultimately convincing victims to run malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of their evaluation.
In some cases, you may even approach your target on LinkedIn. However, the individuals chosen for this social engineering attack are not junior developers, but rather founders, CTOs, and senior engineers in the crypto or Web3 space, and are likely to have high access to the company’s technical infrastructure and crypto wallets. In a recent incident, attackers unsuccessfully targeted the founder of AllSecure.io through a fake job interview.
Key malware families deployed as part of these attack chains include OtterCookie (a backdoor capable of large-scale data theft), InvisibleFerret (a Python-based backdoor), and FlexibleFerret (a modular backdoor implemented in both Go and Python). InvisibleFerret is typically known to be delivered via BeaverTail, but in recent intrusions it has been found leveraging initial access gained through OtterCookie before distributing malware as subsequent payloads.
It’s worth mentioning here that FlexibleFerret is also known as WeaselStore. Its Go and Python variants are named GolangGhost and PylangGhost, respectively.
In a sign that threat actors are actively refining their techniques, a new mutation in the VS Code project circumvents a Vercel-based domain for scripts hosted on GitHub Gist to download and execute the next stage payload that ultimately leads to FlexibleFerret deployment. These VS Code projects are staged on GitHub.
“By embedding targeted malware delivery directly into the interviewing tools, coding exercises, and assessment workflows that developers inherently trust, threat actors exploit the trust job seekers place in the hiring process at a time of high motivation and time pressure to reduce suspicion and resistance,” the tech giant said.
In response to continued exploitation of VS Code tasks, Microsoft included mitigations in the January 2026 update (version 1.109). This introduces a new “task.allowAutomaticTasks” setting. Set to “off” by default to improve security and prevent tasks defined in “tasks.json” from being unintentionally executed when a workspace is opened.
“This update also prevents settings from being defined at the workspace level, so malicious repositories with their own .vscode/settings.json files should be unable to override users’ (global) settings,” Abstract Security said.
“This version and the recent February 2026 (version 1.110) release also introduce a second prompt to alert users when an autorun task is detected in a newly opened workspace. This acts as an additional guard after the user accepts the workspace trust prompt.”
In recent months, North Korean threat actors have also engaged in coordinated malware campaigns targeting cryptocurrency experts through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links. This activity share overlaps with clusters tracked as GhostCall and UNC1069.
MacPaw’s Moonlock Lab said, “The chain of attack culminates in a fake ClickFix-style CAPTCHA page that tricks the victim into executing commands inserted into the clipboard within the terminal.” “This campaign is cross-platform by design, delivering payloads tailored for both macOS and Windows.”
The findings come as the U.S. Department of Justice (DoJ) announced the sentencing of Audricus Fagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35, for facilitating North Korea’s illicit information technology (IT) worker program in violation of international sanctions. All three had previously pleaded guilty in November 2025.
Mr. Fagnasay and Mr. Salazar were both sentenced to three years’ probation and fined $2,000. They were also ordered to forfeit any illegal proceeds obtained from their participation in the wire fraud conspiracy. Travis was sentenced to one year in prison and ordered to forfeit $193,265, the amount the North Korean had earned using his identity.
“These individuals were effectively handing over the keys to their online kingdom to what appeared to be North Korea’s overseas technology workers to augment the North Korean government’s illicit income, all in exchange for what seemed like an easy ride for them,” Margaret Heap, U.S. attorney for the Southern District of Georgia, said in a statement.
Last week, Flare and IBM X-Force released an in-depth study of IT workers’ operations and their inner workings, highlighting how IT workers attend North Korea’s prestigious universities and undergo a rigorous interview process themselves before joining the system.
They are “considered elite members of North Korean society and an integral part of the overall strategic goals of the North Korean government,” the companies said. “These purposes include, but are not limited to, revenue generation, remote employment activities, theft of corporate or confidential information, extortion, and support for other North Korean groups.”
Source link
