Malicious Solidity VSCode Extension on Open VSX Targets Developers
Security researchers have recently identified a remote access trojan named SleepyDuck, disguised as a popular Solidity extension in the Open VSX open-source registry. This malicious software can establish a communication channel with attackers using an Ethereum smart contract.
Overview of Open VSX
Open VSX serves as a community-driven repository for Visual Studio Code (VS Code) extensions. These extensions are widely used in various integrated development environments (IDEs), such as Cursor and Windsurf.
Details of the Malicious Extension
The harmful extension is listed as ‘juan-bianco.solidity-vlang’ and has been downloaded over 53,000 times. Though Open VSX has issued a warning about it, the extension remains available on the platform. At the time of its initial submission on October 31, it posed no threat. However, an update the following day introduced malicious capabilities, already garnering around 14,000 downloads by then.
Malware Communication Mechanism
- The trojan utilizes an Ethereum smart contract to update its command-and-control (C2) server address.
- Even if the default C2 server is disabled, the malware remains functional due to the contract’s presence on the Ethereum blockchain.
Operational Characteristics of SleepyDuck
Since its release with version 0.0.7 until version 0.1.3 on November 2, the extension accumulated a total of 53,439 downloads. It has received one 5-star rating, which is attributed to its creator. The malicious code triggers under various circumstances, including editor startup, when a Solidity file is accessed, or during the execution of the Solidity compile command.
Malicious Behavior upon Activation
Upon activation, SleepyDuck performs the following actions:
- Creates a lock file to ensure it runs once per host.
- Calls a deceptive ‘webpack.init()’ function to obscure its true nature.
- Loads a malicious payload instead of a legitimate function.
Data Collection and Command Execution
Once initialized, the malware collects system data, such as hostname, username, MAC address, and timezone. It establishes a command execution environment that seeks the fastest Ethereum RPC provider for retrieving updated C2 information. The malware operates in a continuous polling loop to maintain communication and receive commands.
Security Measures by Open VSX
The rise in malicious activity targeting Open VSX has led to new security initiatives. The platform recently announced enhancements designed to protect its users, which include:
- Reducing token lifetimes.
- Quickly revoking compromised credentials.
- Implementing automated scans for threats.
- Collaborating with VS Code to share information about emerging security risks.
Best Practices for Developers
Developers are urged to be cautious when downloading VS Code extensions. It is essential to trust only reputable publishers and their official repositories to mitigate all risks associated with malicious software.
Given the increasing sophistication of threats such as SleepyDuck, vigilance is necessary in today’s digital landscape.
