NTT Security Japan analyzed StoatWaffle, a newly adopted Node.js malware used by WaterPlum, which the article describes as a North Korea-related group operating the Contagious Interview campaign. The attack uses a blockchain-themed decoy repository whose VSCode `tasks.json` runs automatically on folder open after trust is granted, then pulls downloader stages from a Vercel-hosted web application and executes Node.js payloads. StoatWaffle polls C2 paths such as `/api/errorMessage` and `/api/handleErrors` to execute returned code, then loads stealer and RAT modules. The stealer targets browser credentials, browser extension data, macOS Keychain data, installed software information, and Windows data reachable from WSL, while the RAT receives commands through `/api/hsocketNext` and returns results to `/api/hsocketResult`. The report lists five IPv4 C2 indicators and shows WaterPlum Team 8 expanding beyond OtterCookie with modular malware development.