Malicious VSX Extension 'SleepyDuck' Infects 14,000 Solidity Developers with Remote Access Trojan

A malicious VSX extension named 'SleepyDuck' has been identified in the Open VSX registry. Initially published as a benign library on October 31, 2025, it was updated on November 1 to include a remote access trojan. The extension, 'juanbianco solidityvlang' (version 0.0.8), uses Ethereum to maintain its command server. The malware, which has been downloaded 14,000 times, uses sandbox evasion and an Ethereum contract to update its command and control address. It targets Solidity developers through rogue extensions on the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky reported that a Russian developer lost $500,000 in cryptocurrency due to this malware. The malicious extension activates upon opening a new code editor window or selecting a `.sol` file. It searches for the fastest Ethereum RPC provider to access the blockchain and connects to a remote server at 'sleepyduck.xyz' using a specific contract address. The provided text describes a malware operation associated with the Ethereum address `0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465`. This malware initiates a polling loop every 30 seconds to check for new commands on the host. It can collect and exfiltrate system information, including hostname, username, MAC address, and timezone, to a server. If the primary domain is seized or taken down, the malware has built-in fallback controls to contact a list of Ethereum RPC addresses to retrieve contract information. The extension can update server configurations and execute emergency commands. The contract, created on October 31, 2025, was updated by a threat actor who changed the server from 'localhost:8080' to 'sleepyduck.xyz' in four transactions.