North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
Summary
North Korean hackers are exploiting Microsoft Visual Studio Code's auto-run task feature to deploy a new malware family named StoatWaffle. This tactic, observed since December 2025, involves distributing malicious VS Code projects.
IFF Assessment
FOE
This development represents a novel attack vector that defenders may not be immediately aware of, increasing the risk of compromise.
Defender Context
Defenders should be aware of the increasing use of legitimate development tools for malicious purposes. It is important to scrutinize the contents of VS Code projects, especially those obtained from untrusted sources, and to educate developers on the potential risks associated with auto-run features.