A new malicious extension in the Open VSX registry, SleepyDuck, is exploiting Visual Studio Code to steal blockchain data and take control of affected systems. It uses Ethereum contract updates and fallback control mechanisms to maintain persistence and evade detection. #SleepyDuck #OpenVSX #Ethereum
Keypoints
- A malicious extension named juan-bianco.solidity-vlang was updated to include a remote access Trojan called SleepyDuck.
- The malware connects to an Ethereum contract to receive commands and exfiltrate system information.
- It employs sandbox evasion techniques and fallback Ethereum RPC addresses to maintain persistence.
- Another set of malicious extensions targeting Visual Studio Code also features cryptocurrency mining scripts.
- Users are urged to install extensions only from trusted sources, and Microsoft is conducting periodic scans to detect malware.
Read More: https://thehackernews.com/2025/11/malicious-vsx-extension-sleepyduck-uses.html