Cybersecurity researchers have reported a new malicious extension to the Open VSX registry that harbors a remote access Trojan. sleepy duck.
According to John Tuckner of Secure Annex, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published as a completely benign library on October 31, 2025, then reached 14,000 downloads before being updated to version 0.0.8 with new malicious functionality on November 1.
“The malware includes sandbox evasion techniques and leverages Ethereum contracts to update command and control addresses in case the original address is deleted,” Tuckner added.
We have repeatedly detected campaigns targeting Solidity developers distributing malicious extensions on both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky revealed that a Russian developer lost $500,000 in cryptocurrency assets after installing such an extension through Cursor.
In the latest case detected by an enterprise extension security company, the malware is triggered when a new code editor window is opened or a .sol file is selected.
Specifically, it finds the fastest Ethereum remote procedure call (RPC) provider to connect to in order to gain access to the blockchain, and connects the remote at “sleepyduck(.)xyz” (hence the name) via the contract address “0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465”. It is configured to initiate a connection with the server and start a polling loop that checks the following: New commands are executed on the host every 30 seconds.
It can also collect system information such as hostname, username, MAC address, time zone, etc. and leak the details to servers. If the domain is occupied or deleted, the malware has built-in fallback controls and accesses a predefined list of Ethereum RPC addresses to extract contract information that can hold server details.
In addition, this extension has the ability to reach new configurations from contract addresses to set up new servers, as well as run emergency commands against all endpoints in case of unexpected events. The contract was created on October 31, 2025, and the attacker updated the server details from “localhost:8080” to “sleepyduck(.)xyz” through four transactions.
It is unclear whether the attackers artificially inflated the download numbers to increase the extension’s relevance in search results. This is a tactic often employed to increase popularity by tricking unsuspecting developers into installing malicious libraries.
This development comes at the same time that the company also revealed details of another set of five extensions, this time published on the VS Code Extension Marketplace by a user named “developmentinc.” It contains a Pokemon-themed library that downloads a batch script miner from an external server (‘mock1(.)su:443’) and runs the miner using ‘cmd.exe’ as soon as it is installed or enabled.
In addition to restarting itself with administrator privileges using PowerShell and configuring Microsoft Defender Antivirus exclusions by adding all drive letters from C: to Z:, this script file downloads and runs the Monero mining executable from “mock1(.)su”.
Extensions uploaded by threat actors are no longer available for download, but are listed below.
- Development Co., Ltd.cfx-lua-vs
- Development Pokemon Co., Ltd.
- Development Co., Ltd. torizon-VS
- Development Co., Ltd. Minecraft Snippets
- Kaihatsu Combai Co., Ltd.
Users are advised to be careful when downloading extensions and ensure that they are from reputable publishers. Microsoft announced in June that it would begin regular market-wide scans to protect users from malware. All extensions that have been removed from the official marketplace can be found on the RemovedPackages page on GitHub.
