A new sophisticated remote access trojan, dubbed “SleepyDuck,” has been discovered in the Open VSX registry, a marketplace for IDE extensions. Initially published as a benign extension on October 31, 2025, it was updated on November 1, 2025, to include malicious capabilities and has since garnered over 14,000 downloads.
Analysis by cybersecurity firm Secure Annex reveals that SleepyDuck employs advanced techniques, including sandbox evasion. Critically, it utilizes an Ethereum contract for command and control (C2) server updates. This blockchain-based C2 mechanism significantly enhances the malware’s resilience, allowing it to dynamically fetch updated server addresses from the Ethereum network even if the primary domain (`sleepyduck.xyz`) is compromised or taken offline. The malware is activated when a new code editor window is opened or a Solidity (.sol) file is selected.
Upon execution, SleepyDuck gathers system information such as hostname, username, MAC address, and timezone, which is then exfiltrated to its C2 server. The use of the Ethereum contract at `0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465` serves as a robust fallback, enabling the malware to receive new configurations, including alternative server addresses and different polling intervals, or to execute emergency commands across all infected endpoints. The contract was created on October 31, 2025, and has undergone several transactions that appear to update its C2 details.
This discovery highlights a concerning trend of threat actors leveraging cryptocurrency infrastructure to build more persistent and evasive malware. The campaign is part of a larger pattern of malicious extensions targeting Solidity developers, with similar threats observed since July 2025. The ability to disguise malicious code within seemingly legitimate developer tools poses a significant risk to software supply chains and developer security.