444/68 Wednesday, November 5, 2025
Cybersecurity researchers have issued a warning about a new malicious extension on the Open VSX registry called “SleepyDuck.” The extension, published under the name juan-bianco.solidity-vlang (version 0.0.8), contains a hidden Remote Access Trojan (RAT). According to Secure Annex, the extension first appeared in version 0.0.7 on October 31, 2025, as a harmless-looking library. After it reached 14,000 downloads, the attacker updated it to version 0.0.8 on November 1, adding malicious capabilities.
One of the most concerning aspects of SleepyDuck is its stealth technique and resilience. The malware uses an Ethereum smart contract to store updated command-and-control (C2) server addresses. This means that even if a C2 server is blocked or taken down, the attacker only needs to update the address in the blockchain, and the malware will automatically retrieve the new destination-making takedown efforts far more difficult.
The campaign primarily targets developers working with Solidity, the programming language used for cryptocurrency and smart contracts. This isn’t the first attack of its kind-back in July 2025, Kaspersky reported that a Russian developer lost approximately 17 million THB worth of crypto assets after installing a similar malicious extension. Around the same period, five other malicious extensions were discovered in the VS Code Extension Marketplace (a different platform from Open VSX), uploaded by a publisher named “developmentinc.” These extensions downloaded PowerShell scripts that enabled Monero cryptomining, escalated privileges to administrator, and even disabled Microsoft Defender Antivirus across all drives.
Analysis suggests that the 14,000 downloads of SleepyDuck may have been artificially inflated to boost credibility and ranking, making it more likely for developers to trust and install it.
The five cryptomining extensions have since been removed, but the incident serves as a reminder for developers to be extremely cautious when installing extensions-especially those from unknown publishers. Microsoft has announced plans to tighten security by performing regular scans of extensions on the Marketplace and publishing a list of removed extensions on GitHub for transparency.
Source https://thehackernews.com/2025/11/malicious-vsx-extension-sleepyduck-uses.html
