A hacking group linked to North Korea, known as WaterPlum, has launched a new malware threat named StoatWaffle. The group deploys this malware through compromised Visual Studio Code (VSCode) repositories, masquerading as legitimate blockchain projects to clandestinely access developer machines.
Background on WaterPlum’s Campaign
WaterPlum has been orchestrating a campaign called “Contagious Interview,” which lures victims into executing harmful code under the guise of job interviews. The operation is divided among various teams, with Team 8, also known by the aliases Moralis and Modilus, spearheading the latest attacks.
Historically, Team 8 relied on a malware strain called OtterCookie. However, they transitioned to using StoatWaffle from December 2025, indicating a significant enhancement in their attack methodology.
Technical Insights into StoatWaffle
Security experts from NTT Security discovered StoatWaffle during an analysis of Team 8’s activities. Their report, released on March 17, 2026, describes StoatWaffle as a modular framework built on Node.js. It operates in stages, featuring a loader, a credential-stealing module, and a remote access trojan (RAT) component, which function together to grant attackers extensive access to infiltrated systems.
The attack initiates with a seemingly authentic blockchain project repository, strategically placed for developers to find. Inside, a .vscode folder with a tasks.json file is configured to execute upon folder opening, requiring no further action from the developer.
Potential Impact and Protective Measures
The threat posed by StoatWaffle is particularly severe because developers are unlikely to suspect that merely opening a VSCode project could automatically trigger a malware infection without manual script execution or prompts.
Upon execution, the malware reaches out to a Vercel-hosted web app to download a batch script, which silently installs Node.js if absent, removing a technical barrier. Subsequently, it downloads a JavaScript file acting as part of the infection chain.
Once active, StoatWaffle deploys its Stealer and RAT modules, targeting browser credentials, cryptocurrency wallet data, and more, while the RAT module awaits commands from a C2 server, granting attackers extensive control.
Developers should be cautious about trusting unverified VSCode repositories, especially those related to blockchain. Security settings should be reviewed, and suspicious behavior should be monitored.
For continued updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more insights.
