North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean hackers are exploiting VS Code's tasks.json auto-run feature to deploy StoatWaffle malware, enabling data theft and remote control.

Since December 2025, North Korean state-sponsored hackers have been abusing Visual Studio Code's tasks.json auto-run functionality to deploy StoatWaffle malware. This malware is designed to steal sensitive data and provide attackers with remote control over compromised systems.

The attack chain begins with social engineering, where victims are tricked into downloading malicious Node.js packages from GitHub. These packages contain hidden scripts that automatically execute when VS Code opens, leveraging the tasks.json file's auto-run feature to deploy StoatWaffle without user interaction.

StoatWaffle is a sophisticated malware capable of exfiltrating credentials, financial data, and intellectual property. It also establishes a backdoor, allowing attackers to execute commands, upload additional payloads, and maintain persistence on infected machines.

This campaign highlights the growing trend of software supply chain attacks, where trusted tools like VS Code and open-source repositories are weaponized. Developers and organizations are urged to review their VS Code configurations, avoid untrusted packages, and implement security measures to detect and prevent such exploits.

The Hacker News, along with cybersecurity experts, continues to monitor this threat and provide updates. Stay vigilant and ensure your development environments are secure against these evolving tactics.