Malicious VSCode Extension 'SleepyDuck' Targets Ethereum Developers

A new cyber threat has emerged targeting Ethereum developers through a malicious Visual Studio Code extension known as SleepyDuck. This remote access trojan was disguised as the popular Solidity extension in the Open VSX registry, which is a community-driven platform for VS Code extensions. As reported by Bleeping Computer, the extension, labeled juan-bianco.solidity-vlang, was initially uploaded on October 31, 2025, as a benign tool. However, it received a malevolent update on November 1, shortly after amassing 14,000 downloads, turning it into a dangerous trojan capable of backdooring developers' systems. The extension, which has since been downloaded more than 53,000 times, leverages Ethereum smart contracts to maintain communication with its command and control server, even if the original server is taken down. Specifically, SleepyDuck activates upon opening a Solidity file or executing a compile command, creating a lock file that ensures it runs only once per host. Its malicious payload is cleverly disguised within a fake webpack.init() function, leading users to believe the extension is functioning as intended.

The Hacker News detailed that SleepyDuck has sophisticated sandbox evasion techniques. It identifies the fastest Ethereum Remote Procedure Call provider to establish contact with its command and control server at sleepyduck.xyz using a unique Ethereum contract address. The malware collects sensitive system data, including the hostname, username, MAC address, and timezone, sending this information back to the attacker. Additionally, if the original command server is compromised, SleepyDuck can use the Ethereum blockchain to retrieve a new server address, ensuring its persistence. This capability highlights the increasing risks associated with Ethereum development environments, particularly as malicious submissions targeting Solidity developers have been on the rise.

The Open VSX platform has experienced an uptick in such malicious extensions, prompting it to implement enhanced security measures. In response to these threats, the platform is now shortening token lifetimes, revoking leaked credentials swiftly, and conducting automated scans to protect its users. Despite these measures, the popularity of Open VSX makes it an appealing target for cybercriminals. In a related incident, Kaspersky reported that a Russian developer lost $500,000 in cryptocurrency assets after unwittingly installing a rogue extension. The growing threat landscape underscores the need for developers to exercise extreme caution when downloading extensions, emphasizing the importance of verifying sources and relying on trusted publishers. Software developers are advised to be vigilant, as the risk of encountering such vulnerabilities within the open-source ecosystem continues to grow, driven by the evolving tactics of threat actors. The SleepyDuck incident serves as a stark reminder of the potential security pitfalls in the cryptocurrency development landscape, particularly for those working within the Ethereum ecosystem.