CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious VSX Extension SleepyDuck Targets Solidity Developers

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A malicious extension named SleepyDuck was discovered in the Open VSX registry. It targets Solidity developers and includes a remote access trojan. The extension was initially published as benign but was updated to include malicious capabilities after reaching 14,000 downloads. The malware uses Ethereum contracts to update its command and control address, ensuring persistence even if the original server is taken down. It triggers when a new code editor window is opened or a .sol file is selected, gathering system information and exfiltrating it to the server. The extension has been downloaded more than 53,000 times. The malware activates on editor startup, when a Solidity file is opened, or when the user runs the Solidity compile command. It collects system data and sets up a command execution sandbox. The malware finds the fastest Ethereum RPC provider to read the smart contract with the C2 information and reads updated instructions directly from the blockchain. The extension was first published on October 31, 2025, and updated to include malicious code on November 1, 2025. It has been observed using sandbox evasion techniques and can connect to the fastest Ethereum RPC provider to maintain communication with its command server. Open VSX has announced security enhancements to make it safer for its users, including shortening token lifetimes, quickly revoking leaked credentials, automated scans, and sharing key info with VS Code about emerging threats.

Timeline

  1. 03.11.2025 20:08 2 articles · 7d ago

    SleepyDuck Malicious Extension Discovered in Open VSX Registry

    The extension has been downloaded more than 53,000 times. The malicious code activates on editor startup, when a Solidity file is opened, or when the user runs the Solidity compile command. The malicious component collects system data (hostname, username, MAC address, and timezone) and sets up a command execution sandbox. The malware finds the fastest Ethereum RPC provider to read the smart contract with the C2 information and reads updated instructions directly from the blockchain.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced on OpenVSX with three new VSCode extensions, downloaded over 10,000 times. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure.

Open in new tab

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft’s vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published.

Open in new tab

WhiteCobra targets VSCode users with crypto-stealing extensions

A threat actor named WhiteCobra has targeted users of Visual Studio Code (VSCode), Cursor, and Windsurf by uploading 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry. The extensions are designed to steal cryptocurrency. The campaign is ongoing, with the threat actor continuously replacing removed extensions with new malicious ones. Core Ethereum developer Zak Cole reported that his wallet was drained after using a seemingly legitimate extension for the Cursor code editor. The extensions appear legitimate due to professionally designed icons, detailed descriptions, and inflated download counts. WhiteCobra previously conducted a $500,000 crypto-theft campaign in July using a fake extension for the Cursor editor.

Open in new tab