Malicious Solidity VSCode Extension Backdoors Developers
▼ Summary
– SleepyDuck is a remote access trojan disguised as a Solidity extension in the Open VSX registry, using an Ethereum smart contract for attacker communication.
– The malicious extension ‘juan-bianco.solidity-vlang’ was downloaded over 53,000 times and initially appeared harmless before receiving a malicious update.
– It activates when opening Solidity files or running compile commands, loading a fake webpack function to deploy its payload while collecting system data.
– The malware uses Ethereum blockchain for command-and-control redundancy, allowing it to remain functional even if the primary server is taken down.
– Open VSX has implemented security enhancements in response to such threats, and developers should only download extensions from trusted sources.
A dangerous remote access trojan known as SleepyDuck has been discovered posing as a legitimate Solidity extension within the Open VSX registry, targeting developers who use popular AI-driven IDEs such as Cursor and Windsurf. This malicious package, listed under the name ‘juan-bianco.solidity-vlang’, has already been downloaded over 53,000 times. Initially harmless when first submitted on October 31st, it received a harmful update just one day later, by which time it had already accumulated 14,000 downloads.
According to security researchers at Secure Annex, SleepyDuck stands out because it uses an Ethereum smart contract to maintain communication with its command-and-control infrastructure. This tactic ensures that even if the primary C2 server at sleepyduck[.]xyz is disabled, the malware can continue operating by pulling updated instructions directly from the Ethereum blockchain. This blockchain-based redundancy gives the threat long-term persistence and makes disruption efforts far more difficult.
The malicious code activates under several conditions: when the Visual Studio Code editor starts, when a Solidity file is opened, or when the user triggers the Solidity compile command. To avoid raising suspicion, it creates a lock file so it only runs once per host and disguises its activity by calling a fake `webpack.init()` function from `extension.js`. In reality, this function loads a harmful payload.
Once active, SleepyDuck harvests sensitive system information, including the hostname, username, MAC address, and timezone, and establishes a command execution sandbox. Researchers note that the malware first identifies the fastest available Ethereum RPC provider to read the smart contract containing C2 details. It then launches a sleepyduck instance, updates its configuration, and enters a polling loop.
The use of the Ethereum blockchain for command-and-control redundancy is a sophisticated feature. If the primary server becomes unreachable, the malware retrieves new instructions, such as an alternate C2 address or adjusted polling intervals, directly from the blockchain. This ensures operational continuity even after security teams take down the main infrastructure.
The polling function sends collected system data via a POST request and awaits commands from the attacker. This allows remote execution of unauthorized code on the developer’s machine. The rising popularity of Open VSX has made it an attractive target for threat actors, with multiple malicious submissions aimed at developers who may not be expecting such risks.
In response to these threats, Open VSX has introduced several security improvements. These include shortening token expiration times, rapidly revoking leaked credentials, performing automated security scans, and sharing critical threat intelligence with the VS Code team. Despite these measures, developers must remain cautious. Always download VS Code extensions from trusted, verified publishers and rely on official repositories to minimize exposure to such supply-chain attacks.
(Source: Bleeping Computer)
