North Korea’s Contagious Interview threat actors have been linked to a malware family called StoatWaffle, which distributes itself through malicious Microsoft Visual Studio Code (VS Code) projects. The use of “tasks.json” in these projects allows the malware to automatically run every time any file is opened in VS Code.
StoatWaffle has two main modules: a stealer that captures credentials and data stored in web browsers, and a remote access trojan (RAT) that communicates with a command-and-control server to execute commands on infected hosts. The malware targets developers in the cryptocurrency and Web3 sector, who are often given elevated access to company tech infrastructure.
The threat actors have been using various tactics to gain initial access to developer systems, including “convincingly staged recruitment processes” and social engineering attacks via LinkedIn. They also use fake job interviews to persuade victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket.
To mitigate this threat, Microsoft has included a new setting in the January 2026 update that prevents unintended execution of tasks defined in “tasks.json”. The company has also introduced a warning prompt when an auto-run task is detected in a newly opened workspace.
The North Korean government’s IT worker scheme, which involves using overseas technology workers to steal corporate and proprietary information, has been exposed. Three men were recently sentenced for their roles in the scheme, which involved wire fraud and violating international sanctions.
Source: https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html