Malicious VSX Extension SleepyDuck: New Cybersecurity Threat Uncovered

What youll learn: In this video, we delve into the emergence of a new cybersecurity threat known as SleepyDuck, a malicious extension found in the Open VSX registry that utilizes a remote access trojan to compromise developers. Well explore the timeline of its discovery, the impact on developers and organizations, and what steps can be taken to mitigate risks associated with such threats.

On November 3, 2025, cybersecurity researchers flagged a new malicious extension in the Open VSX registry harboring a remote access trojan called SleepyDuck. This extension, identified as juan-bianco.solidity-vlang (version 0.0.7), was initially published on October 31, 2025, as a benign library. However, it was quickly updated to version 0.0.8 on November 1, 2025, to include malicious capabilities after amassing 14,000 downloads. The rapid transition from a harmless tool to a dangerous malware source raises significant concerns for developers using the Open VSX platform.

According to John Tuckner from Secure Annex, the malware incorporates sandbox evasion techniques and leverages an Ethereum contract to maintain its command and control server. This means that even if the original server address is taken down, the malware can update its location, posing a continuous threat to its victims. The malware activates when a new code editor window is opened or a .sol file is selected, establishing a connection to a remote server at sleepyduck[.]xyz and executing commands every 30 seconds.

The implications of this discovery are severe, particularly for developers in the Solidity programming community. The malware is designed to gather sensitive system information such as hostname, username, MAC address, and timezone, which it exfiltrates to the command server. Furthermore, there are concerns that the download counts for the extension may have been artificially inflated, a tactic often used to mislead developers into installing malicious software.

This incident is part of a broader trend of rogue extensions targeting developers, highlighted by a previous case in July 2025 where a Russian developer lost $500,000 in cryptocurrency due to a similar malicious extension. As the threat landscape evolves, organizations must remain vigilant against such risks.

In response to this incident, users are advised to exercise caution when downloading extensions and ensure they are from trusted publishers. Microsoft has announced plans to implement periodic marketplace-wide scans to protect users from malware. Developers should also regularly check the RemovedPackages page on GitHub to stay informed about any extensions that have been removed due to security concerns.

As we move forward, it will be crucial to monitor the developments surrounding SleepyDuck and similar threats. Organizations should enhance their security measures, including regular audits of installed extensions and increased awareness training for developers to recognize potential threats. By staying informed and proactive, developers can better protect themselves against the evolving landscape of cybersecurity threats.

In summary, the emergence of the SleepyDuck extension serves as a stark reminder of the vulnerabilities present in software development environments. By understanding the risks and taking appropriate actions, developers can safeguard their projects and maintain the integrity of their development processes.