Ethereum Supports Malicious VSX Extension “SleepyDuck” in Command Server Operations
Cybersecurity researchers have identified a new malicious extension within the Open VSX registry. This extension, known as “SleepyDuck,” is associated with a remote access trojan derived from the library called juan-bianco.solidity-vlang. This library was initially released on October 31, 2025, but was quickly updated on November 1, 2025, to incorporate harmful functionalities after garnering 14,000 downloads.
Details of the “SleepyDuck” Malicious Extension
Secure Annex’s John Tuckner has provided insight into the operational mechanics of this malware. It employs sandbox evasion methods and leverages an Ethereum contract to modify its command and control address, ensuring continued functionality even if the original address is deactivated.
Download and Distribution Patterns
- Initial release: October 31, 2025
- Updated version: November 1, 2025
- Total downloads before malicious update: 14,000
The malware activates when a user opens a new code editor window or selects a .sol file. It seeks the fastest Ethereum Remote Procedure Call (RPC) provider to gain access to blockchain functionalities. It establishes a connection to a remote server at “sleepyduck[.]xyz” via the contract address “0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465.” A loop is then initiated, polling every 30 seconds for new commands.
System Information Gathering Capabilities
“SleepyDuck” has advanced features, allowing it to collect system data such as:
- Hostname
- Username
- MAC Address
- Timezone
This information is sent back to the remote server. In scenarios where the domain is compromised or seized, the trojan has fallback measures. It can revert to a predetermined list of Ethereum RPC addresses to retrieve the contract information.
Malicious Updates and Evasion Strategies
On October 31, 2025, the malicious contract began updating from “localhost:8080” to “sleepyduck[.]xyz” via four separate transactions. There are concerns that the download figures may have been artificially inflated by the developers to increase the extension’s visibility in search results, presenting a serious risk to unsuspecting developers.
Other Related Malicious Activities
In addition to the SleepyDuck threat, other malicious extensions were also identified. One user, under the alias “developmentinc,” published five extensions on the VS Code Extension Marketplace that included a Pokémon-themed library. This library was designed to download and execute a mining script from an external server immediately after installation.
Recommendations for Users
Users are urged to exercise caution when downloading extensions, ensuring they come from reputable sources. Microsoft has initiated regular marketplace scans to safeguard users against malware. Additionally, removed extensions can be accessed on the RemovedPackages page on GitHub.
