Find notable cyber news and cases, enriched with sources, timelines, and signals.

StoatWaffle malware distributed through malicious VS Code projects

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The StoatWaffle malware is being delivered through malicious VS Code projects, creating a live risk of credential theft and remote command execution on developer systems. The delivery chain abuses `tasks.json` with `runOn: folderOpen` so opening a workspace can trigger code execution automatically. The payload can install Node.js if needed, then fetch staged downloader code and deploy a stealer plus a RAT. Since December 2025, the activity has expanded to steal browser credentials, extension data, and even the iCloud Keychain database on macOS.

Related Happenings

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Timeline

  1. 23.03.2026 20:09 2 articles · 3mo ago

    StoatWaffle malware distributed through malicious VS Code projects

    Initial Disclosure

    The first observed stage abuses `tasks.json` in **VS Code** with `runOn: folderOpen` to auto-start a download chain when a workspace opens. That setup lets the payload reach out to remote infrastructure and stage Node.js-based execution before a user notices.

    Show sources