BRIEF

APT · ActiveRisk: HighRegion: North KoreaHub: Global IntelligenceBrief #00421Priority Score: 85APT · ActiveRisk: HighRegion: North KoreaHub: Global IntelligenceBrief #00421Priority Score: 85

North Korea-linked Team 8 exploits VS Code auto-run to distribute StoatWaffle malware

HIGH RISK

BRIEF #00421

APT North Korea Global Intelligence

North Korea-linked Team 8 exploits VS Code auto-run to distribute StoatWaffle malware

March 24, 2026 at 09:01 AM

Priority85

Technology · Software Development · IT Services

2.2

Always First

Executive Risk Brief

HIGH RISK

Incident Type

APT

Risk Level

High

Affected Sectors

Technology, Software Development, IT Services

Geographic Impact

North Korea

Severity Index

85 / 100

ALERT

Immediate Enterprise Concern

Developers may inadvertently execute malicious code by opening untrusted project repositories that leverage VS Code's automated task execution features.

2.3

Incident Overview

What Happened

Threat actor Team 8, associated with North Korean state interests, has been observed distributing the StoatWaffle malware through malicious Microsoft Visual Studio Code projects. The attack vector relies on the 'tasks.json' configuration file, which automatically executes predefined commands when a project folder is opened in the IDE. This technique allows attackers to achieve code execution on a victim's machine without requiring additional user interaction beyond opening the project. The campaign has been active since late 2025.

◆

2.4

Strategic Impact

Why It Matters

This campaign represents a sophisticated supply chain and social engineering threat targeting the software development ecosystem. By weaponizing legitimate IDE features, attackers can bypass traditional security controls that focus on executable files rather than configuration-based triggers. The use of StoatWaffle malware suggests an intent to establish persistent access for espionage or further lateral movement within corporate networks. Organizations relying on open-source or third-party code repositories are at elevated risk of compromise.

◆

2.5

Conditional Advisory

Citizen Safety Summary

Live Citizen Advisory · North Korea

APT Safety Alert

Est. Reports Filed

Score 85

Active Since

Mar 24, 2026

Sectors Targeted

Technology, Software Development

If you are a software developer, be cautious when opening project folders from untrusted or unknown sources in Visual Studio Code. Always inspect the 'tasks.json' file within a project folder for suspicious commands before running the project, and ensure your security software is updated to detect malicious scripts.

2.6

Operational Directives

QPulse Advisory Block

Immediate Action

Time-sensitive · Act now

Audit current VS Code project repositories for suspicious 'tasks.json' configurations and restrict the execution of workspace tasks for untrusted folders.

Monitoring Recommendation

Detection & visibility

Monitor endpoint logs for unusual child processes spawned by 'code.exe' or 'taskhostw.exe' and track outbound network traffic from development workstations.

Preventive Control

Reduce attack surface

Implement strict policies regarding the opening of external project folders and enforce the 'Restricted Mode' feature in VS Code for all untrusted workspaces.

Governance Consideration

Policy & compliance

Establish a secure development lifecycle policy that mandates the scanning of all project configuration files and restricts the use of automated task execution in production environments.

QPulseIntelligence

Advisory purposes only · QPulse Security Intelligence Platform · 2026 · Brief #00421

2.2

Always First

Executive Risk Brief

HIGH RISK

Incident Type

APT

Risk Level

High

Affected Sectors

Technology, Software Development, IT Services

Geographic Impact

North Korea

Severity Index

85 / 100

ALERT

Immediate Enterprise Concern

Developers may inadvertently execute malicious code by opening untrusted project repositories that leverage VS Code's automated task execution features.

2.3

Incident Overview

What Happened

◆

2.4

Strategic Impact

Why It Matters

◆

2.5

Conditional Advisory

Citizen Safety Summary

Live Citizen Advisory · North Korea

APT Safety Alert

Est. Reports Filed

Score 85

Active Since

Mar 24, 2026

Sectors Targeted

Technology, Software Development

2.6

Operational Directives

QPulse Advisory Block

Immediate Action

Time-sensitive · Act now

Audit current VS Code project repositories for suspicious 'tasks.json' configurations and restrict the execution of workspace tasks for untrusted folders.

Monitoring Recommendation

Detection & visibility

Monitor endpoint logs for unusual child processes spawned by 'code.exe' or 'taskhostw.exe' and track outbound network traffic from development workstations.

Preventive Control

Reduce attack surface

Implement strict policies regarding the opening of external project folders and enforce the 'Restricted Mode' feature in VS Code for all untrusted workspaces.

Governance Consideration

Policy & compliance

Establish a secure development lifecycle policy that mandates the scanning of all project configuration files and restricts the use of automated task execution in production environments.

QPulseIntelligence

Advisory purposes only · QPulse Security Intelligence Platform · 2026 · Brief #00421