Ethical Hacking News
A malicious Solidity extension was found on the Open VSX registry for VS Code, disguising itself as a legitimate tool to expose users to malware. Despite being found with malicious capabilities just one day after its initial submission, SleepyDuck still managed to download over 53,000 times before being discovered by security platform Secure Annex.
A malicious Solidity extension called SleepyDuck was found on the Open VSX registry for VS Code extensions. SleepyDuck is a remote access trojan (RAT) that disguises itself as a legitimate Solidity tool. The extension has already reached 14,000 downloads before its malicious nature was uncovered and presented to users on the platform. The malware collects system data and sets up a command execution sandbox when activated. The Ethereum blockchain is used for C2 redundancy, allowing the malware to receive updated instructions directly from the blockchain. Software developers should exercise caution when downloading VS Code extensions and only trust reputable publishers and their official repositories.
A recent discovery by extension security platform Secure Annex has shed light on a malicious Solidity extension found on the popular Open VSX registry for VS Code extensions. Dubbed SleepyDuck, this remote access trojan (RAT) disguises itself as a legitimate Solidity tool and was initially presented as harmless when it was first submitted to Open VSX on October 31st.
However, upon its initial submission with version 0.0.7, the extension began to receive malicious capabilities via an update the very next day, by which time it had already reached 14,000 downloads. This indicates that SleepyDuck's malicious nature was swiftly uncovered and presented to users on the platform.
The malicious code activates when a Solidity file is opened or when the user runs the Solidity compile command. Upon activation, it creates a lock file to run once per host and calls a fake ‘webpack.init()’ function from ‘extension.js’ to make it appear legitimate in disguise.
However, this malicious component collects system data (hostname, username, MAC address, and timezone) and sets up a command execution sandbox. It also loads a malicious payload that runs when initialized and begins a polling loop where it reads the smart contract with the C2 information from the Ethereum blockchain.
The smart contract used by SleepyDuckSource: Secure Annex
The Ethereum blockchain is utilized for C2 redundancy, so if the primary command server goes offline, the malware reads updated instructions directly from the blockchain, including a new C2 server address or modified communication intervals.
This polling function sends data about the system in a POST request and looks "for a command to execute from the response." Open VSX's growing popularity has placed it on the hackers’ radar, receiving multiple malicious submissions targeting unsuspecting developers.
Recently, the platform announced a set of security enhancements to make it safer for its users, including shortening token lifetimes, quickly revoking leaked credentials, automated scans, and sharing key info with VS Code about emerging threats.
Software developers should exercise caution when downloading VS Code extensions, trusting only reputable publishers and their official repositories.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-Solidity-VSCode-Extension-Found-on-Open-VSX-Exposes-Users-to-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extension-on-open-vsx-backdoors-developers/
Published: Mon Nov 3 16:47:47 2025 by llama3.2 3B Q4_K_M
