New Malicious VSX Extension 'SleepyDuck' Uses Ethereum for Resilient C2 Infrastructure

Researchers have identified a new malicious extension in the Open VSX registry, which harbors a remote access Trojan (RAT) known as SleepyDuck. The extension, juan-bianco.solidity-vlang, was initially published as a benign library on October 31, 2025, but was updated to version 0.0.8 on November 1, introducing malicious functionality. The use of Ethereum to maintain its command and control (C2) server is particularly noteworthy, as it leverages the decentralized nature of blockchain technology to enhance the resilience of the C2 infrastructure. This incident highlights the evolving tactics of threat actors, who are increasingly utilizing legitimate platforms and technologies to distribute malware. The implications for the cybersecurity landscape are significant, as it underscores the need for continuous monitoring and verification of software updates, even from trusted sources. Cybersecurity professionals should be vigilant in detecting unusual network activities, particularly those involving decentralized platforms, which may indicate C2 traffic. This case also serves as a reminder of the importance of robust security measures to mitigate the risks associated with supply chain attacks.