A newly identified malicious extension, dubbed “SleepyDuck,” has been found in the Open VSX registry, employing the Ethereum blockchain to maintain its command and control (C2) infrastructure. The extension, initially distributed as a legitimate Solidity development tool, was updated to incorporate malicious functionalities.
The threat actor behind the extension, identified as juan-bianco.solidity-vlang (version 0.0.8), first published a benign version on October 31, 2025. A subsequent update on November 1, 2025, introduced remote access trojan capabilities. This malicious version gained traction after reaching a reported 14,000 downloads. Researchers from Secure Annex noted that the malware incorporates sandbox evasion techniques and uses an Ethereum contract to dynamically update its C2 server address, enhancing its resilience against takedown attempts.
The SleepyDuck malware initiates by connecting to an Ethereum Remote Procedure Call (RPC) provider. It then interacts with a specific smart contract, 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465, to retrieve the address of its C2 server, reported as “sleepyduck[.]xyz”. The contract, created on October 31, 2025, was updated by the threat actor associated with address 0x0eDcFE26CF600FB56ae6AaF3F1D943c811314573. Transaction data indicates the server address was changed from “localhost:8080” to “sleepyduck[.]xyz” through a series of four transactions.
Once connected, the malware establishes a polling loop, checking for new commands every 30 seconds. It is also designed to exfiltrate system information, including hostname, username, MAC address, and timezone, to the C2 server. If the primary C2 domain is compromised or taken offline, SleepyDuck is programmed with fallback mechanisms to query a predefined list of Ethereum RPC addresses to obtain updated server details from the contract. The extension can also receive new configurations and execute emergency commands across all compromised endpoints.
This discovery highlights a continuing trend of malicious extensions targeting software developers. Similar campaigns have been observed on both the Visual Studio Extension Marketplace and Open VSX, with past incidents resulting in significant cryptocurrency losses for victims. The article suggests that the download counts for SleepyDuck may have been artificially inflated to enhance its visibility and deceive developers.
In a related development, five other extensions published on the VS Code Extension Marketplace under the name “developmentinc” were found to contain malicious payloads. One such extension, themed around Pokémon, was observed downloading and executing a batch script miner from an external server. This script, after elevating its privileges and configuring exclusions in Microsoft Defender Antivirus, downloads and runs a Monero mining executable. The identified malicious extensions are no longer available for download.
Developers are strongly advised to exercise caution when downloading extensions, verifying publisher legitimacy and scrutinizing permissions. Microsoft has stated it is implementing periodic marketplace-wide scans to combat malware distribution. Information on removed extensions can be found on the RemovedPackages page on GitHub.