Cybersecurity Threat Alert: SleepyDuck Malware & Supply Chain Attack Evolution

The hackers have a blockchain command server that lets them operate undetected in the recently uncovered VSX extension attack. 

November 3, 2025 - The whole worldwide developer community is under threat and one of the main reasons for it is a new type of malware that has been this way pointed by cybersecurity researchers. The SleepyDuck remote access trojan in particular, which was delivered through an extension with a non-threatening appearance in the Open VSX registry, is illuminating one of the major changes in malware landscape that modern threat actors are using to create a blockchain-based command-and-control network that can hardly be disrupted by traditional security measures.

The existence of this malware in the threat intelligence community's radar is one more indication of the software supply chain attacks saga that has been unfolding for years and it is a very disturbing one. A researcher from Secure Annex named John Tuckner who has also been the one leading up to this threat, says that the suspicious extension, juan-bianco.solidity-vlang, is exposing a pattern of deceit that is becoming increasingly common among the skilled criminal groups.

The Deceptive Distribution Strategy

The evil extension was made public on October 31, 2025, and was seemingly a totally harmless Solidity development library, masquerading as version 0.0.7. The adversary followed a planned let-the-first-move strategy, letting the evil extension to gain downloads and build up its false legitimacy first, then striking with the deadly payload. After the first of November, 2025, when it had about 14,000 downloads, the hacker unleashed version 0.0.8, which had the remote access Trojan capabilities that changed the apparently innocent library into a serious cybersecurity threat.

"The malware has sandbox bypassing methods and employs an Ethereum contract to change its C2 address in case the original is taken down," Tuckner stated, pointing out the very complex architecture of the threat. This blockchain-centered approach is a significant breakthrough in malware survival, actually decentralizing the command structure in ways that conventional cybersecurity can hardly cope with. 

A Pattern of Targeting Developer Communities

The SleepyDuck malware campaign is not an isolated incident, but rather a part of systematic attacks that have been waged against the developers working with emerging blockchain technologies like Solidity. Alongside the detection of the malicious extensions targeting Solidity developers across the Visual Studio Extension Marketplace and the Open VSX registry, it can be inferred that there is an organized effort to exploit the intersection of developer tools and cryptocurrency development. 

In July 2025, the cybersecurity community got a shocking reminder of these threats when Kaspersky made public a harrowing case study: a Russian developer incurred gigantic financial losses after installing one such malicious extension via the Cursor IDE. That poor person lost $500,000 in cryptocurrency assets, a figure that reveals the serious consequences of these hacker newsworthy supply chain attacks. 

As a result of such events, the security professionals have started to consider developer tool extensions as an attack surface with the highest priority, which need the immediate attention of the market place operators and the developer community. The specific targeting of Solidity developers indicates that the threat actors are trying to infiltrate blockchain development workflows, possibly in order to implant backdoors into smart contracts or cryptocurrency-related software projects.

The discovery is coming at a time when there is an ever-growing pile of proof suggesting that the threat actors are of high organization and have rich resources and are purposefully targeting the developer environment. This user group is among the most attractive for hackers and state-sponsored attackers, as they hold high privileges in the system, can access sensitive infrastructures, and are trusted to keep the critical software supply chain's security.

Technical Sophistication: Blockchain as Command Infrastructure

One of the main characteristics of SleepyDuck malware that sets it apart from conventional remote access trojans is its inventive - and rather alarming - incorporation of blockchain technology as a decentralized command-and-control system. When a developer with the malevolent plugin installed executes any of the following operations: opening a new code editor window or selecting a .sol file, the trojan is set off.​

The malware's triggering process demonstrates a high level of technical skill. The trojan is programmed to look for the most rapid Ethereum Remote Procedure Call (RPC) service available in order to make the blockchain connection. After the connection is made, it will communicate with an external server located at "sleepyduck[.]xyz" through the Ethereum contract address 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465.​

After making this connection, the malware goes into a polling loop which it will be checking every 30 seconds for new commands to run on the compromised host system. This signifies a total shift in the traditional malware architectures that generally depend on domain name systems or hardcoded IP addresses that are susceptible to takedown or blocking through network means.​

The infrastructure based on blockchain technology turns out to be significantly more difficult to remove by law enforcement and cybersecurity measures. In the case that the primary domain "sleepyduck[.]xyz" is captured or destroyed by law enforcement, the malware has built-in back-up mechanisms that allow it to contact a list of Ethereum RPC addresses already predetermined. From these distributed blockchain nodes, the malware can obtain contract information that includes updated server details, thus allowing smooth command infrastructure failover without the need for threat actor intervention.

Data Exfiltration and System Reconnaissance

The SleepyDuck malware besides remote command execution shows extensive system reconnaissance functions which boost its threat profile in the cybersecurity arena. The trojan is capable of gathering extensive system details such as hostname, username, MAC address and timezone data which it subsequently sends through exfiltration to the command server of the threat actor.​

This spying function gives a hint that probably the very same ather who has been keeping on SleepyDuck is performing an intelligence-gathering operation before launching secondary attacks. Byunpacking the metadata of the system and its environment, the pirates can make the next exploitation attempt even more accurate, spot the right person for the next compromise to further the electronic dossier for potential selling to other cybercriminals’ organizations.​

The malware's features go even beyond this. The add-on can access Ethereum contract address to obtain new settings, thus allowing dynamic server changes without users having to reinstall the add-on. The other thing is that the threat actor has built in an emergency command function which can be sent out to all compromised devices at once, thus facilitating the coordination of widespread malicious activities across possibly thousands of infected computers.

Blockchain Evidence and Threat Attribution

The creation date of the Ethereum contract that serves as the basis for the SleepyDuck infrastructure was on October 31, 2025, which coincides with the release of the malicious extension. This implies that the malware's development and deployment were very well coordinated. Through blockchain analysis, researchers were able to uncover the threat actor's activity in updating the server information through four distinct Ethereum transactions, in which the command server address was changed from "localhost:8080" to "sleepyduck[.]xyz".​

Such a trail of evidence based on blockchain allows law enforcement and cybersecurity researchers to monitor threat actors' operations with no limitations, which makes it ironic that the criminals' efforts to use blockchain technology for their resilience has instead produced an unalterable audit trail that records their illegal activities.

Manipulation and Search Result Gaming of Downloads

Security analysts think that the malicious extension's download counts were artificially inflated by the threat actors in order to manipulate the extension's position in both the Cursor and Open VSX search results. This fraudulent technique shows a very high level of knowledge of the developer community's way of finding and assessing tools and the use of popularity metrics as indicators of trustworthiness.

"The download counts are probably manipulated which makes it difficult to tell the exact number," Tuckner said to The Hacker News. "This is very likely done to make it more relevant in the search results for Cursor/Open VSX." This brings to light a major weakness in the trust systems of the developer tool ecosystems - the possibility of manipulating popularity metrics that developers rely upon when making security-relevant decisions about which extensions to install.

Concurrent Campaign: Cryptomining and Malware Distribution via VS Code Extensions

The unraveling of SleepyDuck coincided with threat intelligence that unearthed a parallel scheme of the VS Code Extension Marketplace with five more malicious extensions deployed. The extensions with the user account "developmentinc" had seven distinct attack methodologies, all of which focused on cryptocurrency mining and system exploitation. ​

The five extensions that were malicious included "developmentinc.cfx-lua-vs" "developmentinc.pokemon" "developmentinc.torizon-vs" "developmentinc.minecraftsnippets" "developmentinc.kombai-vs" among others. The Pokémon-themed library was one of the five and it used especially aggressive methods whereby it downloaded a batch script miner from an external server ("mock1[.]su:443") right after installation or activation.​

The script that was downloaded got initiated by "cmd.exe" and then carried out a number of harmful functions that were meant to keep the attacker in control of the compromised system. PowerShell was the tool that the script used to relaunch itself with administrator privileges and then it went on to preemptively disable the Microsoft Defender Antivirus by adding every drive letter from C: through Z: to the exclusion list in a systematic manner. With anti-virus protections effectively off, the script then fetched a Monero mining executable from the same evil server and ran it on the infected machine.​

Monero, the cryptocurrency that emphasizes privacy, has become the favorite target of cryptomining malware operators because its transaction mechanisms are resistant to the public traceability that characterizes the Bitcoin transactions. This technical difference is the reason why Monero is such an attractive medium for the threat actors who want to convert compromised systems into cash without being detected through blockchain analysis.

Remediation and Reactions from the Industry

Microsoft's announcement in June 2025, which declared that the company would carry out periodic marketplace-wide scans to identify and eliminate malicious extensions, was one of the measures taken against the threats. Nonetheless, the struggle against malware, proficiently done so by the developers and companies, is still on. The emergence of more sophisticated malware campaigns is a clear indication that the fight against such threats needs to be more comprehensive with various measures in place and that the determined threat actors still do manage to reach the developers' community.​

Security researchers are constantly monitoring the removal of malicious extensions, and in addition, Microsoft is operating a public GitHub repository which contains every extension removed from the official VS Code Extension Marketplace. This transparency effort has a dual purpose: it not only educates the community about the new threats but also acts primarily as a reactive measure which deals with the threats only after they have been disseminated.

Recommendations for Developers and Organizations

In view of the continually escalating threat landscape that the developer community has to deal with, the security experts have laid down the critical protective measures that should all the time be the lot of both, the organizations and the individual developers. The measures consist of among others, limiting the installations of the extensions to the explicitly approved ones only, introducing the code review process for the new extensions that are to be installed in the shared development environments, and keeping the monitoring for the signs of system abuse or unauthorized network communications very active.

The SleepyDuck discovery comes to remind us that the risk of compromizing these very critical infrastructure components increases vastly with the software supply chains being more interconnected and the developer tools being more widely used. The mingling of the cryptographic incentives, the sophisticated command via blockchain-based infrastructure, and the trust being given to the developer tools all together are the factors that lead to even more damaging cyberattacks. 

The cybersecurity sector must deal with these threats not as single incidents but rather as signs of a more extensive strategic change among the skilled threat actors who now focus on the developer ecosystem. The developers who are responsible for building the digital world deserve to be protected to the same level of their strategic importance in the global information technology infrastructure.