A North Korea-linked hacking group known as WaterPlum has introduced a dangerous new malware called StoatWaffle, deploying it through compromised Visual Studio Code (VSCode) repositories disguised as legitimate blockchain development projects to silently infiltrate developer machines.\u200b<\/p>\n
WaterPlum has been running a campaign known as \u201cContagious Interview\u201d for some time, drawing victims in through fake job interview setups and tricking them into running harmful code on their systems. <\/p>\n
The group is divided into several teams, and Team 8 \u2014 also tracked under the names Moralis and Modilus \u2014 is responsible for this latest wave. Team 8 previously depended on a malware family called OtterCookie<\/a> as its main tool. <\/p>\n Starting around December 2025, the team shifted gears and began deploying StoatWaffle instead, signaling a clear and deliberate upgrade in its attack toolkit.\u200b<\/p>\n NTT Security analysts identified StoatWaffle<\/a> while investigating Team 8\u2019s latest activities, noting that the malware marks a meaningful shift in WaterPlum\u2019s operational approach. <\/p>\n Their report, published on March 17, 2026, describes StoatWaffle as a fully modular, Node.js-based framework that operates in stages \u2014 consisting of a loader, a credential-stealing module, and a remote access trojan (RAT) component \u2014 each working together to give attackers deep access to compromised systems.\u200b<\/p>\n The attack starts with a carefully crafted repository shared among developers. Team 8 builds what appears to be a genuine blockchain project and places it where developers are likely to discover it. <\/p>\n Hidden inside the project is a\u00a0 As soon as a developer opens the folder in VSCode and grants it trust, the editor automatically executes a pre-set task \u2014 requiring no further action from the victim.\u200b<\/p>\n What makes this threat particularly serious is that most developers would not expect that simply opening a VSCode project folder could silently trigger a full malware infection running in the background \u2014 no scripts to run manually, no prompts to accept.\u200b<\/p>\n When the malicious task executes, it reaches out to a Vercel-hosted web application and downloads a batch script called\u00a0 If it is not, the script quietly downloads and installs it from the official Node.js website \u2014 removing a key technical barrier without drawing any attention. It then fetches a JavaScript file called\u00a0 The\u00a0 When the server responds with an error status, the loader runs the JavaScript code<\/a> embedded in that response, pulling down the second-stage payload. <\/p>\n Roughly five minutes into this polling cycle, the second downloader arrives and begins its own loop against the\u00a0 Once the second downloader is active, StoatWaffle deploys both its Stealer and RAT modules at the same time. <\/p>\n The Stealer targets saved browser credentials and cryptocurrency wallet<\/a> extension data across Chromium-based and Firefox browsers; on macOS, it also collects the Keychain database. <\/p>\n The RAT module awaits commands from the C2 server and can list files, run shell commands<\/a>, upload directories, and search for files matching a keyword \u2014 giving the attacker wide and persistent control over the infected host.\u200b<\/p>\n Developers should avoid trusting unfamiliar or unverified VSCode repositories, particularly those related to blockchain or cryptocurrency work. <\/p>\n VSCode workspace trust settings should be reviewed carefully, and policies restricting\u00a0 Watching for unexpected Node.js installations or hidden child processes spawned from VSCode can also serve as an early warning of compromise.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post WaterPlum Deploys New \u2018StoatWaffle\u2019 Malware in VSCode-Based Supply Chain Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n.vscode<\/code>\u00a0folder containing a\u00a0tasks.json<\/code>\u00a0file configured with a\u00a0runOn: folderOpen<\/code>\u00a0setting. <\/p>\n![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8DSQC1FZGPp96xLvcAaVRZ2vTmb4wx82j5wI1n3tEROvy-WOhOMIq0-PNb7EhWdPwWOmxW66OKfvTcMl5GgiCFS19ySrhDukXmCdS7RbrOjOczcXOOT-KlloYdwuFSj3FZ3DX2B8Tv7klFh-t5VpwskGodkeaa0ppA8nGDWmgRUspOIsrG2lKLd0JCUc\/s16000\/Attack%2520flow%2520%28Source%2520-%2520NTT%2520Security%29.webp?ssl=1\")
StoatWaffle\u2019s Infection Chain<\/strong><\/h2>\n
vscode-bootstrap.cmd<\/code>. This script first checks whether Node.js is installed on the machine. <\/p>\nenv.npl<\/code>, which acts as the first-stage downloader in StoatWaffle\u2019s infection chain.\u200b<\/p>\nenv.npl<\/code>\u00a0file connects to a C2 server at\u00a0147[.]124.202.208<\/code>\u00a0on port 3000 and polls the\u00a0\/api\/errorMessage<\/code>\u00a0endpoint every five seconds. <\/p>\n\/api\/handleErrors<\/code>\u00a0endpoint on the same server, silently spawning hidden child processes to stay out of sight.\u200b<\/p>\nrunOn: folderOpen<\/code>\u00a0behavior should be enforced. Security teams are advised to block these indicators of compromise:\u00a0185[.]163.125.196<\/code>,\u00a0147[.]124.202.208<\/code>,\u00a0163[.]245.194.216<\/code>,\u00a066[.]235.168.136<\/code>, and\u00a087[.]236.177.9<\/code>. <\/p>\n