Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck.
According to Secure Annex’s John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads.
“The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down,” Tuckner added.
Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor.
In the latest instance detected by the enterprise extension security firm, the malware is triggered when a new code editor window is opened or a .sol file is selected.
Specifically, it’s configured to find the fastest Ethereum Remote Procedure Call (RPC) provider to connect to in order to obtain access to the blockchain, initialize contact with a remote server at “sleepyduck[.]xyz” (hence the name) via the contract address “0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465,” and kicks off a polling loop that checks for new commands to be executed on the host every 30 seconds.
It’s also capable of gathering system information, such as hostname, username, MAC address, and timezone, and exfiltrating the details to the server. In the event the domain is seized or taken down, the malware has built-in fallback controls to reach out to a predefined list of Ethereum RPC addresses to extract the contract information that can hold the server details.
What’s more, the extension is equipped to reach a new configuration from the contract address to set a new server, as well as execute an emergency command to all endpoints in the event that something unexpected occurs. The contract was created on October 31, 2025, with the threat actor updating the server details from “localhost:8080” to “sleepyduck[.]xyz” over the course of four transactions.
It’s not clear if the download counts were artificially inflated by the threat actors to boost the relevance of the extension in search results – a tactic often adopted to increase the popularity so as to trick unsuspecting developers into installing a malicious library.
The development comes as the company also disclosed details of another set of five extensions, this time published to the VS Code Extension Marketplace by a user named “developmentinc,” including a Pokémon-themed library that downloads a batch script miner from an external server (“mock1[.]su:443”) as soon as it’s installed or enabled,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
