ANDRI.BLOG
Security
10 min read

That VS Code Project You Opened? It's Already Running Malware

North Korean hackers are sending developers fake coding assessments that auto-execute malware the moment you open the project in VS Code. No clicks required.

Here's something that should make every developer uncomfortable: there's a setting in VS Code that lets a project run arbitrary shell commands the instant you open its folder. No play button, no terminal interaction, no "are you sure?" dialog. You open the folder, and code executes.

North Korean hackers figured this out months ago. They've been sending developers fake job interview coding assessments — polished GitHub repos with a .vscode/tasks.json file configured to auto-execute the moment you open the project. The malware it drops, called StoatWaffle, steals browser passwords, cryptocurrency wallets, cloud credentials, and on macOS, your entire iCloud Keychain. All while you're reading the README and thinking about how to approach the coding challenge.

This campaign has been running since late 2023 under the name "Contagious Interview," but the VS Code auto-execution trick is newer — it started appearing in December 2025 when the group's Team 8 sub-cluster shifted tactics. Microsoft, ESET, NTT Security, and several other vendors have published analyses, and the picture they paint is unsettling.

The Trick: tasks.json and runOn

VS Code has a task automation system. You define tasks in .vscode/tasks.json — things like "build the project" or "run the linter" — and VS Code can execute them for you. One of the configuration options is runOn, which determines when a task runs automatically. Set it to folderOpen, and the task executes when the workspace opens.

That's the entire exploit. A tasks.json file with "runOn": "folderOpen" and a shell command as the task definition. When you open the project folder in VS Code, the editor asks if you trust the folder's authors. The trust dialog is designed to nudge you toward clicking "Yes" — it's the highlighted default option. Once you click it, VS Code processes the tasks file and runs whatever command is inside.

The malicious tasks.json files in this campaign are platform-aware. They detect whether you're on macOS, Windows, or Linux, and run the appropriate payload:

  • macOS: nohup bash -c combined with curl to fetch JavaScript from a remote server and pipe it into Node.js
  • Windows: Downloads via cmd.exe and curl, installs Node.js if it's not present, pulls npm packages, then fetches the payload
  • Linux: Similar curl-to-Node.js pipeline

The actual malicious code isn't in the repository. The tasks.json fetches it from Vercel-hosted apps or Render endpoints at runtime. This means GitHub's automated security scanning sees nothing wrong — the repo contains a legitimate-looking project with a tasks configuration file that happens to download something when opened.

The Social Engineering: Fake Jobs, Real Damage

The technical trick only works if someone opens the project. That's where the social engineering comes in, and it's disturbingly well-crafted.

The attackers pose as recruiters on LinkedIn, Upwork, CryptoJobsList, and other platforms. They target specific people — senior developers, CTOs, and founders at cryptocurrency and Web3 companies. These aren't spray-and-pray phishing emails. They're personalized messages about specific job opportunities at what appear to be real companies.

The group created at least three front companies: BlockNovas LLC (registered in New Mexico with a fake address that turned out to be an abandoned lot), Angeloper Agency, and SoftGlide LLC. BlockNovas had a LinkedIn page, Twitter account, Medium blog, and claimed 12+ years of operation, 20+ team members, and 53+ completed projects. They listed real crypto companies like Poloniex and Phemex as clients.

The fake personas are backed by AI-generated profile photos made with Remaker AI. During video interviews, the operators use real-time face swaps to match the fake persona's appearance. You think you're talking to "Alexander Nolan," a recruiter at BlockNovas — but it's a North Korean operative running a deepfake filter over their webcam.

After the interview, you receive a "technical assessment" — a GitHub repository to clone and open in VS Code. The project looks legitimate. It's a blockchain app, a DeFi frontend, a trading tool. The kind of thing you'd expect for a crypto company's hiring process.

You clone it. You open it in VS Code. You click "Trust." Game over.

The FBI seized the BlockNovas domain in April 2025, but the campaign adapted. New domains, new front companies, new repositories. Seventeen malicious GitHub repos were identified under BlockNovas alone, and researchers have found infrastructure spanning multiple hosting providers and countries.

What StoatWaffle Steals

StoatWaffle is a multi-stage Node.js malware with both stealer and remote access capabilities. Here's what it takes:

Browser credentials from everything. Chrome, Brave, Opera, Edge, Firefox — it grabs the Login Data SQLite databases, encryption keys, and extension data. On Windows, it even checks for Windows Subsystem for Linux and accesses your Linux-side browser data too.

Twenty-one cryptocurrency wallet extensions. MetaMask, Phantom, Rabby, Exodus, Solflare, Tonkeeper, OKX Wallet, and fifteen others. It extracts the extension storage data, which often contains encrypted private keys. On disk, it also grabs Solana CLI keypair files from ~/.config/solana/id.json.

The macOS iCloud Keychain. The malware has a dedicated upload_keychain_and_login_data_to_c2 function that targets /Library/Keychains/login.keychain. If you store passwords, certificates, or keys in your macOS Keychain — and you do, because macOS puts them there by default — StoatWaffle takes the whole database.

Environment variables and .env files. It dumps process.env and recursively searches drives C through G on Windows for .env files. API keys, database connection strings, cloud credentials — whatever's in your environment gets exfiltrated.

Live clipboard contents. A watchClipboard function sends your clipboard to the C2 server every single second via PowerShell. Copy a password, an API key, a crypto address — the attacker sees it instantly.

The stolen data gets staged in temp directories, zipped, encrypted with HMAC using hardcoded secrets, and uploaded to command-and-control servers. The C2 infrastructure spans multiple IP addresses across different hosting providers, with the primary channels running on ports 1224, 3000, and 8085-8087.

And it doesn't stop at stealing. StoatWaffle includes a full remote access toolkit: file listing, shell command execution, arbitrary code execution, process management. Once it's on your machine, the attacker can come back for anything they missed.

Why Developers Are Perfect Targets

This campaign targets developers specifically, and there's a cold logic to it.

Developers have credentials to everything. Source code repositories, CI/CD pipelines, cloud infrastructure, production databases, internal tools. Compromise one senior developer at a crypto company, and you potentially have access to the company's hot wallets, deployment keys, and customer data.

Developers are also conditioned to clone repositories and open them in their editors. It's what we do dozens of times a week. The action of cloning a repo and opening it in VS Code is muscle memory — there's no friction point where you stop and think "wait, should I inspect every configuration file first?"

And developers applying for jobs are in a particularly vulnerable mental state. They want to impress. They're thinking about the coding challenge, not about whether the .vscode directory contains something dangerous. The social engineering exploits professional ambition, which is a motivation that's hard to defend against with technical controls alone.

How to Protect Yourself

Update VS Code to 1.110 or Later

Microsoft addressed this attack vector after it became public. VS Code 1.109 (January 2026) changed task.allowAutomaticTasks to default to "off". Version 1.110 added a secondary warning prompt when an auto-run task is detected in a newly opened workspace.

If you're on an older version, update. If you can't update immediately, set this in your user settings (not workspace settings — workspace settings are controlled by the project you're opening):

{
  "task.allowAutomaticTasks": "off"
}

The setting file lives at:

  • macOS: ~/Library/Application Support/Code/User/settings.json
  • Windows: %APPDATA%\Code\User\settings.json
  • Linux: ~/.config/Code/User/settings.json

Critically, VS Code 1.109 also prevents this setting from being overridden at the workspace level. Before that update, a malicious .vscode/settings.json in the repo could re-enable auto-run tasks even if you'd disabled them globally.

Inspect Repos Before Opening Them

Before you open a cloned repository in VS Code, check for .vscode/tasks.json from the terminal:

cat .vscode/tasks.json 2>/dev/null

Red flags to look for:

  • "runOn": "folderOpen" — this is the auto-execution trigger
  • Shell commands involving curl, wget, or PowerShell
  • Commands that pipe downloaded content into an interpreter (| node, | bash, | python)
  • OS-conditional command branching (different commands for Windows/macOS/Linux)
  • Obfuscated strings or base64-encoded content

Also check .vscode/settings.json for attempts to override security settings, and .vscode/extensions.json for recommendations to install unfamiliar extensions.

Use Container-Based Development Environments

If you regularly evaluate code from untrusted sources — open source contributions, job assessments, client projects — do it inside a container. VS Code's Dev Containers extension lets you open projects in Docker containers with isolated filesystems and network access. GitHub Codespaces does the same thing in the cloud.

A malicious tasks.json running inside a container can't access your host filesystem, browser profiles, or cryptocurrency wallets. It's contained by design.

Verify the Company and Recruiter

If you receive an unsolicited job offer that involves a coding assessment:

  • Check the company's registration. BlockNovas was "registered" in New Mexico but listed a fake South Carolina address. A quick search would have revealed the inconsistency.
  • Reverse image search the recruiter's photo. AI-generated faces often appear in other contexts or have telltale artifacts.
  • Ask for a video call before doing any assessment. Face-swap technology has gotten good, but it still has tells — inconsistent lighting, artifacts around face edges, and unnatural expressions during quick movements.
  • Verify through independent channels. If someone claims to be from a known company, reach out to the company directly through their official website. Don't use contact information provided by the recruiter.

Scope Your Development Environment

Even without this specific attack, your development machine is a high-value target. Some hygiene steps:

  • Don't store production credentials on your laptop. Use a secrets manager and short-lived tokens.
  • Keep cryptocurrency wallets on a hardware device, not in browser extensions on your development machine.
  • Use separate browser profiles for development and personal use. Your development browser doesn't need access to your banking sessions or password vault extension.
  • Audit your .env files. If StoatWaffle finds API keys to your cloud provider sitting in a .env file, those keys are gone. Use tools like direnv with .envrc files that pull secrets from a vault at runtime instead of storing them on disk.

The Bigger Picture

This campaign has been running for over two years. The FBI shut down one of the front companies, but the operation continued with new infrastructure. Multiple security vendors have published detailed analyses, but the attackers keep adapting — new fake companies, new repositories, new delivery mechanisms.

The VS Code auto-run trick was just the latest iteration. Before that, the group used a "ClickFix" technique where fake interview sites claimed your camera wasn't working and instructed you to run a terminal command to "fix" it. Before that, it was trojanized npm packages. The social engineering wrapper stays the same; the technical delivery evolves.

What's worth sitting with is how thin the line was. A tasks.json file with one configuration option set to auto-run. A trust dialog that defaults to "Yes." A developer who's thinking about a job opportunity instead of examining dotfiles. That's all it took.

Microsoft's fix — defaulting allowAutomaticTasks to off and preventing workspace-level overrides — is the right call, but it only happened after the attack was documented. How many other editor features have similar "run arbitrary code on open" behavior that nobody's looked at yet? Cursor, the AI-powered VS Code fork, had the same issue. Any editor with a plugin or task system that can auto-execute on workspace open is a potential vector.

Check your VS Code version. Check your settings. And the next time someone sends you a coding assessment, look at the .vscode folder before you look at the README.

Sources: The Hacker News, Microsoft Security Blog, CSO Online, Jamf, Abstract Security, Silent Push

▸ TAGS
#malware#VS-Code#developer-security#North-Korea#social-engineering#supply-chain
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES