Cybersecurity researchers have identified a new malicious extension in the Open VSX registry that is associated with a remote access trojan known as SleepyDuck. This extension, named juan-bianco.solidity-vlang (version 0.0.7), was initially released on October 31, 2025, and was later updated to version 0.0.8 on November 1, which introduced malicious features after achieving 14,000 downloads.
According to John Tuckner from Secure Annex, the malware employs sandbox evasion techniques and uses an Ethereum contract to update its command and control address if the original one is compromised. The malicious activity is triggered when a new code editor window is opened or a Solidity (.sol) file is opened.
The malware’s operation involves connecting to a remote server at "sleepyduck.xyz," utilizing the Ethereum blockchain to communicate. It polls every 30 seconds to check for new commands, while also collecting system information such as hostname, username, MAC address, and timezone, and sends this data back to the server. If the primary domain is shut down, the malware can still connect through a predefined list of addresses to retrieve updated server details.
Additionally, it can execute commands across all endpoints if necessary. The associated contract was created on the same day as the extension’s first release, and the server details have been updated multiple times since then.
In a related incident, another batch of five malicious extensions was found in the VS Code Extension Marketplace, uploaded by a user known as "developmentinc." One of these, a Pokémon-themed library, was designed to download a script that mines cryptocurrency as soon as it was installed, running the miner with elevated privileges and disabling Windows Defender protections.
Users are urged to only download extensions from reputable sources. Microsoft has stated that it is implementing regular scans of the marketplace to detect and remove malicious items. All removed extensions can be viewed on its GitHub page.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.