WaterPlum Deploys New StoatWaffle Malware in VSCode-Based Supply Chain Campaign

A North Korea-linked hacking group known as WaterPlum has introduced a dangerous new malware called StoatWaffle, deploying it through compromised Visual Studio Code (VSCode) repositories disguised as legitimate blockchain development projects to silently infiltrate developer machines.

WaterPlum has been running a campaign known as “Contagious Interview” for some time, drawing victims in through fake job interview setups and tricking them into running harmful code on their systems.

The group is divided into several teams, and Team 8 — also tracked under the names Moralis and Modilus — is responsible for this latest wave. Team 8 previously depended on a malware family called OtterCookie as its main tool.

Starting around December 2025, the team shifted gears and began deploying StoatWaffle instead, signaling a clear and deliberate upgrade in its attack toolkit.

NTT Security analysts identified StoatWaffle while investigating Team 8’s latest activities, noting that the malware marks a meaningful shift in WaterPlum’s operational approach.

Their report, published on March 17, 2026, describes StoatWaffle as a fully modular, Node.js-based framework that operates in stages — consisting of a loader, a credential-stealing module, and a remote access trojan (RAT) component — each working together to give attackers deep access to compromised systems.

The attack starts with a carefully crafted repository shared among developers. Team 8 builds what appears to be a genuine blockchain project and places it where developers are likely to discover it.

Hidden inside the project is a .vscode folder containing a tasks.json file configured with a runOn: folderOpen setting.

As soon as a developer opens the folder in VSCode and grants it trust, the editor automatically executes a pre-set task — requiring no further action from the victim.

Attack flow (Source - NTT Security) — Attack flow (Source – NTT Security)

What makes this threat particularly serious is that most developers would not expect that simply opening a VSCode project folder could silently trigger a full malware infection running in the background — no scripts to run manually, no prompts to accept.

StoatWaffle’s Infection Chain

When the malicious task executes, it reaches out to a Vercel-hosted web application and downloads a batch script called vscode-bootstrap.cmd. This script first checks whether Node.js is installed on the machine.

If it is not, the script quietly downloads and installs it from the official Node.js website — removing a key technical barrier without drawing any attention. It then fetches a JavaScript file called env.npl, which acts as the first-stage downloader in StoatWaffle’s infection chain.

The env.npl file connects to a C2 server at 147[.]124.202.208 on port 3000 and polls the /api/errorMessage endpoint every five seconds.

When the server responds with an error status, the loader runs the JavaScript code embedded in that response, pulling down the second-stage payload.

Roughly five minutes into this polling cycle, the second downloader arrives and begins its own loop against the /api/handleErrors endpoint on the same server, silently spawning hidden child processes to stay out of sight.

Once the second downloader is active, StoatWaffle deploys both its Stealer and RAT modules at the same time.

The Stealer targets saved browser credentials and cryptocurrency wallet extension data across Chromium-based and Firefox browsers; on macOS, it also collects the Keychain database.

The RAT module awaits commands from the C2 server and can list files, run shell commands, upload directories, and search for files matching a keyword — giving the attacker wide and persistent control over the infected host.

Developers should avoid trusting unfamiliar or unverified VSCode repositories, particularly those related to blockchain or cryptocurrency work.

VSCode workspace trust settings should be reviewed carefully, and policies restricting runOn: folderOpen behavior should be enforced. Security teams are advised to block these indicators of compromise: 185[.]163.125.196, 147[.]124.202.208, 163[.]245.194.216, 66[.]235.168.136, and 87[.]236.177.9.

Watching for unexpected Node.js installations or hidden child processes spawned from VSCode can also serve as an early warning of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.