Security researchers flagged a malicious extension in the Open VSX registry that installs a remote access trojan dubbed SleepyDuck. The package, published as juan-bianco.solidity-vlang, appeared on October 31, 2025 as a benign library and was updated to version 0.0.8 on November 1 after reaching roughly 14,000 downloads, according to Secure Annex researcher John Tuckner.
The extension is triggered when a new editor window is opened or when a .sol file is selected and is configured to locate the fastest Ethereum Remote Procedure Call provider available before initializing contact with a remote server at the domain sleepyduck[.]xyz through a smart contract at 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465.
Once active, the malware enters a polling loop that checks for commands every 30 seconds, and it can collect system details such as hostname, username, MAC address and timezone and send those to the operator. If the domain is taken down, the code can query a list of Ethereum RPC addresses to retrieve contract data that may contain updated server information; the threat actor account linked on-chain is visible at 0x0edcfe26cf600fb56ae6aaf3f1d943c811314573.
Secure Annex noted the contract was created on October 31, 2025 and that the on-chain configuration was changed over four transactions from an initial value of “localhost:8080” to sleepyduck[.]xyz. The researcher also said download counts for the extension are likely manipulated to boost visibility and make it easier for unsuspecting developers to find and install the package.
The same firm disclosed a separate set of five extensions published to the VS Code Extension Marketplace by a user named “developmentinc.” One of those libraries used a Pokémon theme and dropped a batch script miner from an external server, relaunching with elevated privileges and configuring Microsoft Defender exclusions before downloading and executing a Monero miner. The removed packages were listed by the researcher under the developmentinc namespace.
Users are advised to exercise caution when installing editor extensions and to obtain them from trusted publishers. Microsoft said in June it is instituting periodic marketplace-wide scans to help protect users, and removed extensions can be reviewed on the RemovedPackages page on GitHub.