Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
A newly discovered remote access trojan (RAT) called SleepyDuck has infiltrated the Open VSX marketplace by disguising itself as a legitimate Solidity extension. Discovered on October 31, 2025, this malware represents a sophisticated supply chain attack targeting developers worldwide on Windows platforms. The malicious SleepyDuck extension initially appeared safe but was updated to include malicious capabilities after accumulating over 14,000 downloads. Once activated, SleepyDuck collects sensitive system data, evades sandbox detection mechanisms, and maintains persistent communication with its command-and-control server. What makes SleepyDuck particularly dangerous is its innovative use of Ethereum blockchain technology to maintain control even when its primary command server becomes unavailable. This blockchain-based resilience makes SleepyDuck significantly more difficult to disrupt compared to traditional remote access trojans. The SleepyDuck threat highlights growing supply chain attack risks that exploit developer trust in coding tools and IDE extensions.
The SleepyDuck remote access trojan emerged in the Open VSX IDE extension marketplace masquerading as a legitimate Solidity extension. The malicious extension, identified as juan-bianco.solidity-vlang, was initially released on October 31, 2025, presenting itself as a safe development tool. The threat actors behind SleepyDuck quietly updated the extension to version 0.0.8 on November 1, 2025, introducing malicious capabilities after the extension had already accumulated over 14,000 downloads. This SleepyDuck attack demonstrates advanced sandbox evasion techniques and employs an Ethereum smart contract infrastructure that allows the malware to dynamically update its command-and-control server address, ensuring persistent control over infected systems even when takedown efforts target the original infrastructure.
SleepyDuck activates whenever a user opens a new code editor window or selects a .sol (Solidity) file within their development environment. The malware leverages the extension.js entry point, a commonly exploited mechanism in IDE extensions, to disguise itself as a legitimate helper extension for developers. The true malicious purpose of SleepyDuck is revealed through an activation function that creates a lock file, ensuring the malware runs only once before executing a fake webpack.init() function containing malicious logic. Upon initialization, SleepyDuck performs four core operations: determining the fastest Ethereum RPC provider, initializing its malicious components, fetching updated configuration from remote sources, and beginning communication with its default command-and-control server at sleepyduck.xyz, polling every 30 seconds for instructions from threat actors.
During the setup process, SleepyDuck gathers sensitive system details including hostname, username, MAC address, and timezone information, which helps the malware evade detection in sandboxed environments commonly used for security analysis. The trojan constructs a controlled JavaScript environment using vm.createContext(sandbox), allowing it to safely execute remote commands without triggering security alerts. SleepyDuck continuously exchanges data with the command-and-control server, sending collected system details and awaiting further commands that may instruct it to download additional payloads, exfiltrate files, or perform system manipulations on compromised developer workstations.
To maintain resilience against takedown efforts, SleepyDuck is equipped with a clever fallback mechanism that ensures continued communication even if its primary server goes offline. The malware embeds a reference to a smart contract on the Ethereum blockchain, which contains alternative RPC addresses and configuration data. If the command-and-control server at sleepyduck.xyz becomes unavailable, the malware queries the smart contract, allowing it to update its command server address, adjust polling intervals, or execute emergency commands across all infected hosts. This blockchain-based infrastructure provides decentralized redundancy for SleepyDuck operations, making takedowns significantly more challenging for security teams and law enforcement.
The sleepyduck.xyz domain was registered on November 1, 2025, just one day after the associated Ethereum contract was deployed, indicating how rapidly threat actors mobilized the SleepyDuck attack infrastructure. Security analysts warn that despite SleepyDuck’s sophisticated design and advanced capabilities, much of its code remains unobfuscated and unminified, suggesting the malware may still be in its early development stages. This finding raises concerns that similar threats could proliferate across Open VSX and Visual Studio marketplaces, targeting the broader developer community with increasingly sophisticated supply chain attacks.
Only download and install IDE extensions from trusted publishers with verified accounts in the marketplace. Always review the publisher’s history, ratings, download trends, and user feedback before adding any new development tool to your environment. Exercise particular caution with extensions that imitate popular tools like Solidity helpers, as SleepyDuck demonstrates how threat actors exploit developer familiarity with common utilities.
If you have already installed the affected SleepyDuck extension (juan-bianco.solidity-vlang), remove it immediately from your development environment and run a full antivirus or endpoint security scan to detect any malicious activity. Developers should regularly review their installed extensions to ensure no unauthorized or unknown plugins are present in their IDE configurations. Establish a routine audit process for all development tools and extensions to minimize supply chain attack exposure.
Watch for strange network traffic patterns, especially outbound connections to unknown domains such as sleepyduck.xyz or unexpected blockchain-related communications. Check for processes that launch unexpectedly when editing or opening files in your development environment. Network monitoring tools or Endpoint Detection and Response (EDR) solutions can help detect these anomalies early, providing critical visibility into potential SleepyDuck infections or similar remote access trojan activity.
Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to identify and block malware threats like SleepyDuck before they can establish persistence. Leverage behavioral analysis and machine learning-based detection capabilities to spot suspicious activity patterns that may indicate remote access trojan infections or other advanced persistent threats targeting developer workstations.
Domain: sleepyduck[.]xyz
Ethereum Address: 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465
T1195 – Supply Chain Compromise: SleepyDuck compromised the software supply chain by infiltrating the Open VSX marketplace with a malicious extension disguised as a legitimate Solidity development tool.
T1059 – Command and Scripting Interpreter: The malware executes malicious commands using JavaScript interpreters within the IDE environment.
T1059.007 – JavaScript: SleepyDuck specifically leverages JavaScript execution capabilities through the extension.js entry point and vm.createContext mechanisms.
T1497 – Virtualization/Sandbox Evasion: The trojan employs advanced techniques to detect and evade sandbox environments by analyzing system information such as hostname, username, MAC address, and timezone.
T1027 – Obfuscated Files or Information: Although much of the SleepyDuck code remains unobfuscated, the malware employs techniques to hide its true malicious purpose behind legitimate-appearing functions.
T1036 – Masquerading: SleepyDuck masquerades as a legitimate Solidity helper extension to avoid detection and gain user trust.
T1082 – System Information Discovery: The malware collects detailed system information including hostname, username, MAC address, and timezone to profile infected systems.
T1033 – System Owner/User Discovery: SleepyDuck identifies the system owner and user information as part of its reconnaissance activities.
T1071 – Application Layer Protocol: The trojan communicates with its command-and-control infrastructure using standard application layer protocols, polling the server every 30 seconds for instructions and using Ethereum blockchain communications as a fallback mechanism.
https://secureannex.com/blog/sleepyduck-malware/
Report Information:
Get through updates and upcoming events, and more directly in your inbox
