North Korean-linked hackers are changing their approach again, this time by misusing a tool that developers trust every day.
They are using malicious Microsoft Visual Studio Code (VS Code) projects as bait in an ongoing campaign known as Contagious Interview. The goal? To quietly install backdoors on developers’ systems.
Here’s how it works.
Attackers hide harmful instructions inside a VS Code feature called runOn: folderOpen. In simple terms, this means that just opening a project folder can trigger code to run automatically, without you clicking anything else.
The attack usually starts with social engineering. Developers are tricked into downloading what looks like a normal coding project. It could be a job assignment or even a blockchain-related repository.
But behind the scenes, there’s a small hidden configuration file. The moment you open the folder, it runs code in the background.
That code then downloads a malware called StoatWaffle, which gives attackers access to your system.
This method, first seen in late 2025, shows a clear shift in how cyberattacks are evolving. Instead of obvious malware, attackers are now hiding threats inside tools and workflows people already trust.
Microsoft has responded by adding new security protections in recent VS Code updates:
- Automatic task execution is now turned off by default
- Warnings appear when tasks try to run automatically
- Workspace settings can no longer easily override your security preferences
These changes are meant to reduce the risk, but they don’t remove it completely.
The bigger lesson here is simple. Even trusted tools can be misused.
If you’re a developer, don’t assume a project is safe just because it looks legitimate. Take a moment to check files, especially hidden configs, before opening anything new.
Because today, something as simple as opening the wrong folder can be enough to compromise your system.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
