Cybersecurity experts have identified a significant threat in the form of a malware-laden extension called SleepyDuck. This malicious software was discovered in the Open VSX registry and is classified as a remote access trojan.
Overview of SleepyDuck Malware
According to John Tuckner from Secure Annex, the SleepyDuck trojan was embedded within an extension named juan-bianco.solidity-vlang. Initially published on October 31, 2025, this extension was updated a day later to version 0.0.8, incorporating malicious capabilities after achieving over 14,000 downloads.
Malicious Capabilities
The malware employs advanced techniques to evade detection within sandbox environments. A notable feature is its use of an Ethereum contract to dynamically update its command and control (C2) server address, should the original server be compromised.
How SleepyDuck Operates
- Triggers when a new code editor window opens or a .sol file is selected.
- Connects to the fastest available Ethereum Remote Procedure Call (RPC) provider.
- Initiates communication with a remote server at sleepyduck.xyz.
- Checks for new commands every 30 seconds.
- Collects and exfiltrates various system information, including hostname and MAC address.
If the original domain is seized, SleepyDuck is equipped with fallback mechanisms. It can connect to alternative Ethereum RPC addresses to retrieve server information and update its configuration accordingly.
Recent Developments
The deployment of SleepyDuck is part of a wider trend. In July 2025, Kaspersky reported a case where a developer lost $500,000 in cryptocurrency due to a similar rogue extension. Such incidents highlight the increasing risks facing developers.
In another related case, five extensions published by a user named “developmentinc” in the VS Code Extension Marketplace were discovered to distribute malicious mining scripts. Caution is advised for users when downloading extensions.
Safety Measures for Users
- Ensure extensions are from reputable publishers.
- Be aware of download counts, as they may be artificially inflated.
- Follow announcements from Microsoft regarding marketplace security updates.
This malware situation underscores the importance of vigilance in the developer community. Proper security practices and awareness can help mitigate risks associated with malicious extensions like SleepyDuck.
