North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have developed a new malware distribution method using Microsoft Visual Studio Code projects. The group is deploying a malware family called StoatWaffle through malicious VS Code configurations.

The attack leverages VS Code's "tasks.json" feature to automatically execute malicious code when developers open seemingly legitimate projects. This represents a tactical evolution for the threat group, with the new approach first observed in December 2025.

The technique exploits VS Code's task automation capabilities, which allow projects to define scripts that run automatically when opened. By embedding malicious commands in the tasks.json configuration file, attackers can achieve code execution on developer machines without requiring additional user interaction beyond opening the project.

The campaign builds on the group's established Contagious Interview operations, which have historically targeted software developers through fake job opportunities and technical assessments. The shift to VS Code-based delivery methods suggests the threat actors are adapting their tactics to target development environments more directly.

This activity aligns with broader North Korean state-sponsored cyber operations focused on cryptocurrency theft and supply chain compromise. The group's continued evolution of attack methods demonstrates their commitment to targeting the software development community.