SleepyDuck

A malicious VS Code extension using Ethereum for C2.

SleepyDuck Malware Evolves with Ethereum C2 Resilience

Nov 4, 2025

—

by

Elles De Yeager

in Threat Actors

A new sophisticated remote access trojan, dubbed “SleepyDuck,” has been discovered in the Open VSX registry, a marketplace for IDE extensions. Initially published as a benign extension on October 31, 2025, it was updated on November 1, 2025, to include malicious capabilities and has since garnered over 14,000 downloads.
Malicious VSX Extension “SleepyDuck” Leverages Ethereum for Command and Control

Nov 4, 2025

—

by

Elles De Yeager

in Threat Actors

A malicious VSX extension dubbed “SleepyDuck” has been discovered in the Open VSX registry, utilizing the Ethereum blockchain for its command and control (C2) infrastructure. Initially distributed as a legitimate Solidity development tool, the extension was updated to include malicious functionalities, posing a significant threat to developers.