A North Korea-linked hacking group, WaterPlum, is employing a sophisticated new malware named StoatWaffle in targeted supply chain attacks. The group is disseminating this malware through compromised Visual Studio Code (VSCode) repositories disguised as legitimate blockchain development projects, aiming to stealthily infiltrate developers’ machines. This advanced threat leverages a multi-stage infection process, highlighting evolving tactics by state-sponsored cyber actors.
WaterPlum’s ongoing campaign, codenamed “Contagious Interview,” historically lured victims with deceptive job interview scenarios, tricking them into executing malicious code. The group operates with distinct teams, and Team 8, also known as Moralis or Modilus, is reportedly responsible for this recent escalation. Previously, Team 8 relied on the OtterCookie malware family but transitioned to deploying StoatWaffle starting in December 2025, indicating a significant upgrade in their arsenal.
StoatWaffle Malware Unveiled in VSCode Supply Chain Campaign
NTT Security analysts identified StoatWaffle during their investigation into Team 8’s recent activities. Their findings, published on March 17, 2026, detail StoatWaffle as a modular framework built on Node.js. The malware operates in distinct stages, comprising a loader, a credential-stealing module, and a remote access trojan (RAT). This layered approach enables attackers to gain deep and persistent access to compromised systems.
The attack vector begins with a meticulously crafted repository integrated into development workflows. Team 8 creates what appears to be a legitimate blockchain project and strategically places it within developers’ reach. Concealed within the project is a `.vscode` folder containing a `tasks.json` file. This configuration includes a `runOn: folderOpen` setting, which automatically triggers a pre-set task the moment a developer opens the folder in VSCode and grants it trust, requiring no further user interaction.
This method is particularly concerning as it bypasses typical user caution. Developers generally do not anticipate that simply opening a VSCode project folder could initiate a silent, background malware infection. The absence of explicit scripts to run or prompts to accept further complicates detection for the average user.
StoatWaffle’s Evolved Infection Chain
Upon execution of the malicious task, the malware contacts a Vercel-hosted web application to download a batch script named `vscode-bootstrap.cmd`. This script first verifies the presence of Node.js on the target machine. If Node.js is not installed, the script silently downloads and installs it from the official Node.js website, thereby removing a significant technical barrier without raising suspicion.
Subsequently, the script fetches a JavaScript file identified as `env.npl`, which serves as the initial stage downloader for the StoatWaffle infection chain. The `env.npl` file establishes communication with a command-and-control (C2) server located at `147[.]124.202.208` on port 3000. It periodically polls the `/api/errorMessage` endpoint, waiting for a server response indicating an error status.
When an error status is received, the loader executes the embedded JavaScript code, initiating the download of the second-stage payload. Approximately five minutes into this polling cycle, a second downloader becomes active. This downloader then begins its own loop, communicating with the `/api/handleErrors` endpoint on the same C2 server and discreetly spawning hidden child processes to maintain stealth.
Once the second downloader is operational, StoatWaffle deploys both its Stealer and RAT modules concurrently. The Stealer module is designed to exfiltrate saved browser credentials and cryptocurrency wallet extension data from both Chromium-based and Firefox browsers. On macOS systems, it also targets the Keychain database. The RAT component awaits direct commands from the C2 server, which can include actions such as listing files, executing shell commands, uploading directories, and searching for specific files. This grants the attackers extensive and persistent control over the compromised host environments.
Security experts advise developers to exercise extreme caution when dealing with unfamiliar or unverified VSCode repositories, especially those focused on blockchain or cryptocurrency development. Reviewing VSCode workspace trust settings and enforcing policies that restrict `runOn: folderOpen` behavior is crucial. Security teams are alerted to block specific indicators of compromise, including IP addresses such as `185[.]163.125.196`, `147[.]124.202.208`, `163[.]245.194.216`, `66[.]235.168.136`, and `87[.]236.177.9`. Monitoring for unexpected Node.js installations or hidden child processes initiated from VSCode could serve as an early warning sign of a potential compromise.