- A new malicious extension called SleepyDuck was found in the Open VSX registry.
- The extension initially appeared harmless but added Malware after 14,000 downloads.
- SleepyDuck uses an Ethereum smart contract for remote control and evades detection.
- Five more malicious extensions with cryptocurrency mining capabilities were discovered on the VS Code Marketplace.
- Users are warned to download extensions only from trusted sources, with Microsoft implementing regular security scans.
Cybersecurity researchers have revealed a harmful extension called SleepyDuck in the Open VSX registry that operates as a remote access trojan. The extension, named juan-bianco.solidity-vlang, was first published on October 31, 2025, without malicious features but was updated on November 1 to include malware after reaching 14,000 downloads.
According to Secure Annex researcher John Tuckner, the malware uses techniques to avoid Sandbox detection and connects to an Ethereum smart contract to update its command and control (C2) server address if needed. The contract address linked to the malware is 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465.
The malware activates when users open a code editor window or select a file with the “.sol” extension used in Ethereum smart contract programming. It searches for the fastest Ethereum Remote Procedure Call (RPC) provider to connect and communicates with a server at “sleepyduck[.]xyz.” Every 30 seconds, it polls the server for new instructions to execute on the infected device.
SleepyDuck also gathers information such as the computer’s hostname, username, MAC address, and timezone, sending these details back to the attacker. If the main domain is taken down, the malware can retrieve new server details from a preset list of Ethereum RPC addresses to maintain control.
Separately, Secure Annex uncovered five additional malicious extensions in the Visual Studio Code Marketplace published by a user named “developmentinc.” One of these carries a Pokémon-themed library that downloads and runs a cryptocurrency miner for Monero. This miner runs with administrator privileges, disables Windows Defender scanning across drives, and executes mining software from an external server (“mock1[.]su”).
The five extensions identified are:
– developmentinc.cfx-lua-vs
– developmentinc.pokemon
– developmentinc.torizon-vs
– developmentinc.minecraftsnippets
– developmentinc.kombai-vs
All of these extensions have since been removed from the marketplace.
Users are urged to verify the credibility of extension publishers before downloading. Microsoft announced in June that it will conduct periodic, comprehensive scans of its extension marketplace to reduce malware risks. A list of removed extensions is publicly available on the RemovedPackages page on GitHub.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Aster Surges 20% After Binance CZ Buys Tokens for Holding
- Hedera Integrates Reown for Enhanced Wallet Connectivity Options
- Gold Prices Drop to $4,000 Amid Rising Global Tensions
- Crypto Products See $360M Outflow Amid Powell’s Rate Cut Caution
- Apriori Airdrop Faces Sybil Attack by 5,800 Wallets Pre-Launch
