{"id":15998,"date":"2026-03-24T12:01:23","date_gmt":"2026-03-24T12:01:23","guid":{"rendered":"https:\/\/newestek.com\/?p=15998"},"modified":"2026-03-24T12:01:23","modified_gmt":"2026-03-24T12:01:23","slug":"new-stoatwaffle-malware-auto-executes-attacks-on-developers","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15998","title":{"rendered":"New \u2018StoatWaffle\u2019 malware auto\u2011executes attacks on developers"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A newly disclosed malware strain dubbed \u201cStoatWaffle\u201d is giving fresh teeth to the notorious, developer-targeting \u201cContagious Interview\u201d threat campaign.<\/p>\n<p>According to NTT Security findings, the malware marks an evolution from the<a href=\"https:\/\/www.csoonline.com\/article\/4098699\/contagious-interview-attackers-go-full-stack-to-fool-developers.html\" target=\"_blank\"> long-running<\/a> campaign\u2019s user-triggered execution to a near-frictionless compromise embedded directly in developer workflows. Attackers are using blockchain-themed project repositories as decoys, embedding a malicious VS Code configuration file that triggers code execution when the folder is opened and trusted by the victim.<\/p>\n<p>\u201cStoatWaffle is a modular malware implemented by Node.js and it has Stealer and RAT modules,\u201d NTT researchers said in a blog <a href=\"https:\/\/jp.security.ntt\/insights_resources\/tech_blog\/stoatwaffle_malware_en\/\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>, adding that the campaign operator \u201cWaterPlum\u201d is \u201ccontinuously developing new malware and updating existing ones.\u201d<\/p>\n<p>This means tracking Contagious Interview <a href=\"https:\/\/www.csoonline.com\/article\/4119927\/contagious-interview-turns-vs-code-into-an-attack-vector.html\">activity<\/a> may now require widening the scope of detection efforts to include weaponized dev environments, not just malicious packages and interview lures.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Opening a folder is all it takes<\/h2>\n<p>StoatWaffle abuses developer trust within Visual Studio Code environments. Instead of relying on users to execute suspicious scripts, like in earlier attacks, attackers are embedding malicious configurations inside legitimate-looking project repositories, often themed around blockchain development, a lure theme that has been consistent with Contagious Interview campaigns.<\/p>\n<p>The trick relies on a \u201c.vscode\/tasks.json\u201d file configured with a \u201crunOn: folderOpen\u201d setting. Once a developer opens the project and grants trust, the payload executes automatically without any further clicks. The executed StoatWaffle malware operates a modular, Node.js-based framework that typically unfolds in stages. These stages include a loader, credential harvesting components, and then a remote access trojan (<a href=\"https:\/\/www.csoonline.com\/article\/4125567\/this-stealthy-windows-rat-holds-live-conversations-with-its-operators.html\">RAT<\/a>) planted for persistence and pivoting access across systems.<\/p>\n<p>The RAT module maintains regular communication with an attacker-controlled C2 server, executing commands to terminate its own process, change the working directory, list files and directories, navigate to the application directory, retrieve directory details, upload a file, execute Node.js code, and run arbitrary shell commands, among others.<\/p>\n<p>StoatWaffle also exhibits custom behavior depending on the victim\u2019s browser. \u201cIf the victim browser was Chromium family, it steals browser extension data besides stored credentials,\u201d the researchers said. \u201cIf the victim browser was Firefox, it steals browser extension data besides stored credentials. It reads extensions.json and gets the list of browser extension names, then checks whether the designated keyword is included.\u201d<\/p>\n<p>For victims running macOS, the malware also targets Keychain databases, they added.<\/p>\n<h2 class=\"wp-block-heading\" id=\"contagious-interview-revisited\">Contagious Interview, revisited<\/h2>\n<p>StoatWaffle isn\u2019t an isolated campaign. It\u2019s the latest chapter in the Contagious Interview attacks, widely attributed to North Korea-linked threat actors tracked as WaterPlum.<\/p>\n<p>Historically, this campaign has <a href=\"https:\/\/www.csoonline.com\/article\/4090979\/north-koreas-job-test-trap-upgrades-to-json-malware-dropboxes.html\">targeted developers<\/a> and job seekers through fake interview processes, luring them into running malicious code under the guise of technical assessments. Previously, the campaign weaponized npm packages and staged loaders like <a href=\"https:\/\/socket.dev\/blog\/contagious-interview-campaign-escalates-67-malicious-npm-packages\" target=\"_blank\" rel=\"noreferrer noopener\">XORIndex and HexEval<\/a>, often distributing dozens of malicious packages to infiltrate developer ecosystems at scale.<\/p>\n<p>Team 8, one of the group\u2019s sub-clusters, previously relied on malware such as OtterCookie, shifting to StoatWaffle around December 2025, the researchers said.<\/p>\n<p>The disclosure also shared a set of IP-based indicators of compromise (IOCs), likely tied to C2 infrastructure observed during analysis, to support detection efforts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly disclosed malware strain dubbed \u201cStoatWaffle\u201d is giving fresh teeth to the notorious, developer-targeting \u201cContagious Interview\u201d threat campaign. According to NTT Security findings, the malware marks an evolution from the long-running campaign\u2019s user-triggered execution to a near-frictionless compromise embedded directly in developer workflows. Attackers are using blockchain-themed project repositories as decoys, embedding a malicious VS Code configuration file that triggers code execution when the&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15998\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15998","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15998"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15998\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}