Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SleepyDuck malicious Open VSX extension

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A malicious Open VSX extension named juan-bianco.solidity-vlang was updated to deliver the SleepyDuck remote access trojan, putting Solidity developers at risk of host compromise and remote command execution. The payload uses an Ethereum contract for command-and-control persistence and can exfiltrate host details such as hostname, username, MAC address, and timezone. It also activates when a new editor window opens or a .sol file is selected, widening exposure for developers working in affected environments.

Related Happenings

DEEP#DOOR Python backdoor framework

Malware Activity
First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

Timeline

  1. 03.11.2025 20:08 1 articles · 6mo ago

    juan-bianco.solidity-vlang version 0.0.7 is published as a benign extension

    Campaign Scope Update

    The Open VSX extension juan-bianco.solidity-vlang version 0.0.7 is first published as a benign Solidity library, and the associated Ethereum contract is created with server details initially set to localhost:8080.

    Show sources
    Open in new tab
  2. 03.11.2025 20:08 2 articles · 6mo ago

    juan-bianco.solidity-vlang version 0.0.8 adds the SleepyDuck trojan

    Technical Analysis Update

    The extension is updated to version 0.0.8 on November 1, 2025 after reaching 14,000 downloads, adding the SleepyDuck remote access trojan. The malware triggers when a new code editor window opens or a .sol file is selected, checks for commands every 30 seconds, and uses the Ethereum contract address 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465 to reach sleepyduck[.]xyz.

    Show sources
    Open in new tab
  3. 03.11.2025 20:08 1 articles · 6mo ago

    Researchers flag juan-bianco.solidity-vlang as a SleepyDuck carrier in Open VSX

    Initial Disclosure

    Cybersecurity researchers flag juan-bianco.solidity-vlang in the Open VSX registry as a malicious extension carrying SleepyDuck, warning that it can evade sandboxes, exfiltrate hostname, username, MAC address, and timezone, and recover command-and-control details through Ethereum-based fallback controls.

    Show sources
    Open in new tab