The keys to the online kingdom, given away for easy money
Since December 2025, North Korean operatives have turned one of the most trusted tools in software development — Visual Studio Code — into a vector for infiltration, exploiting the quiet automation of a configuration file to plant malware called StoatWaffle on the machines of developers who had no reason to suspect their workspace. The campaign, known as Contagious Interview, is not merely a technical exploit but a study in misplaced trust: attackers impersonate recruiters, stage convincing job interviews, and leverage the vulnerability of ambition itself to gain access to cryptocurrency wallets, corporate infrastructure, and the identities of senior engineers. Microsoft has since patched the mechanism, and American courts have begun sentencing those who enabled the scheme — but the operation reveals how thoroughly the boundary between social engineering and cyberwarfare has dissolved.
- A single configuration file — tasks.json — became the silent trigger, launching malware the moment a developer opened a project folder, requiring no click, no confirmation, no mistake beyond trusting their own tools.
- StoatWaffle deploys in stages across Windows, macOS, and Linux, harvesting browser credentials, extracting iCloud Keychain data, and handing attackers live remote control over infected machines through a fully functional RAT.
- The human layer of the attack is as sophisticated as the technical one: North Korean operatives posed as LinkedIn recruiters, ran multi-stage fake interviews, and specifically targeted founders, CTOs, and crypto executives — people with the highest-value access.
- The campaign has metastasized beyond VS Code into malicious npm packages, hundreds of poisoned GitHub repositories, and fake video conference links that trick victims into executing clipboard-injected payloads.
- Microsoft patched the auto-run vulnerability in January and February 2026, disabling the feature by default and adding workspace-level warnings — but the broader North Korean IT worker fraud network that funds and sustains these operations continues to operate at scale.
Since December 2025, North Korean hackers have been embedding malware inside Visual Studio Code projects through a mechanism so mundane it went unnoticed for months: a tasks.json configuration file set to execute commands the instant a developer opens a folder. The malware, named StoatWaffle, requires no user interaction to launch. It downloads an initial payload from a Vercel-hosted application, checks for Node.js, installs it if absent, and then begins a chained sequence of downloaders — each fetching the next stage from a command-and-control server, layering obfuscation with every step.
Once embedded, StoatWaffle splits into two modules. The first steals credentials and browser extension data from Chromium and Firefox, and on macOS, extracts the iCloud Keychain database. The second is a remote access trojan that gives attackers direct control: they can browse files, execute code, run shell commands, and erase their own traces when finished. The same threat actors have also distributed a Python backdoor through malicious npm packages, injected JavaScript into hundreds of public GitHub repositories, and in one notable breach, compromised a long-time open-source contributor's account to push encrypted payloads retrieved from blockchain transactions on Tron, Aptos, and Binance Smart Chain.
The entry point into all of this is human. Operating under the name Contagious Interview, the group impersonates tech recruiters on LinkedIn and conducts elaborate fake job interviews, targeting not junior developers but founders, CTOs, and senior engineers in the cryptocurrency and Web3 sectors — people with elevated access to company systems and digital wallets. Interviews culminate in asking candidates to run a command or install a package as part of a coding assessment. One attempt targeted the founder of AllSecure.io, though it failed. The attackers understand that job seekers are motivated, time-pressured, and inclined to trust the process.
Microsoft responded in January 2026 with VS Code version 1.109, disabling auto-run tasks by default and blocking malicious repositories from re-enabling the feature through their own settings files. A February update added a secondary warning prompt for newly opened workspaces. In March 2026, the U.S. Department of Justice sentenced three men for facilitating North Korea's IT worker fraud scheme — one receiving a year in prison and ordered to forfeit over $193,000. Researchers at Flare and IBM X-Force describe these workers as elite operatives, trained at prestigious universities and deployed to generate revenue, steal corporate data, conduct extortion, and support broader North Korean intelligence objectives. The operation has become, in the words of one U.S. attorney, a systematic effort to obtain the keys to the online kingdom.
Since December, North Korean hackers have been slipping malware into Visual Studio Code projects through a deceptively simple mechanism: a configuration file that runs automatically the moment a developer opens a folder. The malware, called StoatWaffle, arrives this way as part of a broader campaign tracked as Contagious Interview—a operation that has spent months impersonating tech recruiters on LinkedIn, staging fake job interviews, and convincing senior engineers and cryptocurrency executives to run malicious code.
The attack works because developers trust their tools. When someone opens a VS Code project, the application checks for a tasks.json file that can be configured to execute commands automatically. The attackers set the "runOn: folderOpen" option, meaning the malware launches without any user interaction the moment the project loads. According to NTT Security, the initial payload downloads from a Vercel-hosted application and checks whether Node.js is installed. If it isn't, the malware installs it from the official website, then launches a downloader that reaches out to a command-and-control server for the next stage of infection. This chain continues, with each downloader fetching and executing code from another endpoint, creating layers of obfuscation that make the attack harder to trace.
Once installed, StoatWaffle deploys two distinct modules. The first is a stealer that harvests credentials and extension data from web browsers—both Chromium-based browsers like Chrome and Edge, and Mozilla Firefox. On macOS systems, it also extracts the iCloud Keychain database. All stolen data gets uploaded to the attackers' command-and-control server. The second module is a remote access trojan that gives the attackers direct control over the infected machine. Through this RAT, they can change directories, enumerate files, execute Node.js code, upload files, search directories for specific keywords, run shell commands, and even terminate the malware itself to cover their tracks.
The sophistication of the campaign becomes clear when looking at the broader ecosystem of attacks. The same group has been distributing malicious npm packages containing PylangGhost, a Python-based backdoor—the first time this particular malware has been propagated through npm. In a separate operation called PolinRider, they've injected malicious JavaScript into hundreds of public GitHub repositories, ultimately deploying BeaverTail, a stealer and downloader. In one notable breach, they compromised the GitHub account of a long-time contributor to Neutralinojs, an open-source project, and used organization-level write access to force-push code that retrieves encrypted payloads from blockchain transactions on Tron, Aptos, and Binance Smart Chain.
The initial access vector reveals the human engineering at the core of these attacks. Microsoft's analysis shows that Contagious Interview operators pose as recruiters and conduct convincing fake technical interviews. They target specific individuals—not junior developers, but founders, CTOs, and senior engineers in the cryptocurrency and Web3 sectors, people with elevated access to company infrastructure and cryptocurrency wallets. They approach targets on LinkedIn, sometimes staging multi-stage interviews that culminate in asking the victim to run a command or install a package as part of a coding assessment. One recent attempt targeted the founder of AllSecure.io, though that particular attack failed. The attackers exploit the psychological state of job seekers: motivated, under time pressure, and inclined to trust the hiring process.
Microsoft responded to the VS Code exploitation in January 2026 with version 1.109, introducing a new setting called "task.allowAutomaticTasks" that defaults to off. Critically, the update prevents this setting from being overridden at the workspace level, meaning malicious repositories cannot use their own .vscode/settings.json file to re-enable auto-run tasks. A follow-up release in February added a secondary prompt that warns users when an auto-run task is detected in a newly opened workspace, providing an additional layer of protection after the initial Workspace Trust prompt.
The North Korean operation extends beyond VS Code into broader cryptocurrency targeting. In recent months, the same threat actors have been running coordinated campaigns on LinkedIn, impersonating venture capital firms and sending fraudulent video conference links. These attacks culminate in fake CAPTCHA pages that trick victims into executing commands injected into their clipboard, with payloads tailored for both macOS and Windows. The activity overlaps with clusters tracked as GhostCall and UNC1069.
In March 2026, the U.S. Department of Justice sentenced three men for their roles in facilitating North Korea's IT worker fraud scheme. Audricus Phagnasay, 25, and Jason Salazar, 30, each received three years of probation and $2,000 fines. Alexander Paul Travis, 35, received one year in prison and was ordered to forfeit $193,265—the amount North Korean workers earned using his identity. According to recent research by Flare and IBM X-Force, these IT workers are considered elite members of North Korean society, trained at prestigious universities and vetted through rigorous interviews before joining the scheme. They serve multiple strategic objectives for the North Korean government: generating revenue, conducting remote employment fraud, stealing corporate information, extortion, and supporting other North Korean threat groups. The operation has become, in the words of one U.S. attorney, a way for North Korea to obtain "the keys to the online kingdom."
Citações Notáveis
These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government—all in return for what to them seemed like easy money.— Margaret Heap, U.S. attorney for the Southern District of Georgia
By embedding targeted malware delivery directly into interview tools, coding exercises, and assessment workflows developers inherently trust, threat actors exploit the trust job seekers place in the hiring process during periods of high motivation and time pressure.— Microsoft analysis of Contagious Interview
A Conversa do Hearth Outra perspectiva sobre a história
Why does a configuration file in VS Code matter so much? Isn't it just a text file?
It's a text file that runs code automatically. Most developers never look at tasks.json unless they're setting up build processes. The attacker counts on that—the file sits there, invisible, and executes the moment the folder opens.
So the victim downloads a malicious project from GitHub, opens it in VS Code, and the malware runs before they even know what happened?
Exactly. And because it's Node.js code running in a trusted development environment, it has access to everything—browser data, credentials, the ability to download more malware. It's like inviting someone into your house through a door you didn't know existed.
The attackers are targeting senior engineers and CTOs specifically. Why not go after junior developers?
Junior developers don't have the access that matters. A CTO controls the company's infrastructure, cryptocurrency wallets, proprietary code. A senior engineer at a crypto firm might have keys to millions of dollars. The attackers are patient and selective.
How does a fake job interview convince someone to run malicious code?
It's psychological. You're excited about the opportunity, you're under time pressure, you want to prove yourself. The interviewer asks you to run a command as part of the assessment. It feels normal. You're not thinking about security—you're thinking about getting the job.
Microsoft patched this in January. Is the threat over?
The patch helps, but only if people update. And the attackers are already adapting—newer versions of their malicious projects are using GitHub Gist instead of Vercel to host payloads. They're refining their tradecraft constantly.
What does it mean that these are "elite members of North Korean society"?
It means the North Korean government has invested heavily in training these people. They're not random criminals. They're part of a state apparatus designed to generate revenue and steal information. This isn't opportunistic—it's strategic.