StoatWaffle malware distributed through malicious VS Code projects
Malware Activity
Summary
Hide ▲
Show ▼
The StoatWaffle malware is being delivered through malicious VS Code projects, creating a live risk of credential theft and remote command execution on developer systems. The delivery chain abuses `tasks.json` with `runOn: folderOpen` so opening a workspace can trigger code execution automatically. The payload can install Node.js if needed, then fetch staged downloader code and deploy a stealer plus a RAT. Since December 2025, the activity has expanded to steal browser credentials, extension data, and even the iCloud Keychain database on macOS.
Related Happenings
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Timeline
-
23.03.2026 20:09 2 articles · 3mo ago
StoatWaffle malware distributed through malicious VS Code projects
Initial DisclosureThe first observed stage abuses `tasks.json` in **VS Code** with `runOn: folderOpen` to auto-start a download chain when a workspace opens. That setup lets the payload reach out to remote infrastructure and stage Node.js-based execution before a user notices.
Show sources
- North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware — thehackernews.com — 23.03.2026 20:09
- North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware — thehackernews.com — 23.03.2026 20:09