North Korean state-sponsored hackers are increasingly turning trusted developer tools like Visual Studio Code into stealthy attack vectors, abusing built-in automation features to silently compromise systems.

According to recent reports, attackers are exploiting VS Code’s auto-execution functionality—particularly configuration files like tasks.json—to trigger malicious scripts as soon as a project is opened. This means developers can become infected without manually running any code, making the attack especially dangerous and difficult to detect. (Security Boulevard)

The campaign is linked to North Korean threat actors associated with operations like the “Contagious Interview” scheme, where victims are tricked into downloading or opening fake coding projects disguised as job assignments. Once opened in VS Code, these projects automatically execute hidden commands that install malware. (The Hacker News)

In some cases, the malicious scripts deploy advanced malware such as StoatWaffle, which can download additional payloads, steal sensitive data, and maintain persistent access to infected systems. The malware may even install required dependencies like Node.js automatically to ensure execution across different environments. (The Hacker News)

Security researchers warn that this technique reflects a broader shift toward “living-off-the-land” attacks, where hackers abuse legitimate tools instead of relying on obvious malware. By embedding malicious behavior into normal developer workflows, attackers can bypass traditional security defenses and remain undetected for longer periods. (codekeeper.co)

To mitigate the risk, newer versions of VS Code have introduced security controls such as disabling automatic task execution by default and prompting users before running suspicious configurations. However, experts still advise developers to carefully review any third-party code repositories and avoid trusting unknown projects without inspection. (The Hacker News)

This emerging tactic highlights how even widely trusted development tools are becoming prime targets in modern cyber-espionage campaigns, especially those linked to nation-state actors.