SleepyDuck VSX Extension - Ethereum-Backed RAT Campaign

SleepyDuck VSX extension abuse exposes Solidity developers to a stealthy remote access trojan that hides its command infrastructure on the Ethereum blockchain. Researchers at Secure Annex discovered the malicious juan-bianco.solidity-vlang extension in the Open VSX registry, initially published as a benign helper on October 31, 2025 and updated to a backdoored 0.0.8 release after reaching roughly 14,000 downloads. Once installed, SleepyDuck activates whenever a new editor window opens or a .sol file is selected, collecting system information such as hostname, username, MAC address, and timezone before beaconing to its controller. Instead of relying on a static C2 domain, the malware queries an Ethereum smart contract at address 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465 to retrieve its active server, currently sleepyduck[.]xyz, and falls back to additional RPC endpoints if infrastructure is disrupted. The contract can update configuration parameters, broadcast emergency commands, or point compromised hosts to a fresh control server, making takedown efforts more complex. The campaign follows earlier incidents where rogue VS Code extensions and alternative marketplaces were used to steal cryptocurrency and credentials from blockchain developers. In parallel, investigators identified a separate cluster of developer-themed extensions that silently deploy a Monero miner by downloading a batch script from mock1[.]su and disabling Microsoft Defender with aggressive exclusion rules. The SleepyDuck VSX extension wave demonstrates how extension marketplaces have become a high-yield supply-chain vector for targeting crypto-focused engineers and build environments that often hold direct access to wallets and private keys.