Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SleepyDuck trojan in Open VSX Solidity extension with Ethereum smart-contract C2

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A malicious Open VSX extension delivered SleepyDuck, a remote access trojan that uses an Ethereum smart contract for C2 redundancy and persistence, exposing developers using VS Code-compatible IDE extensions to backdoor risk. The package juan-bianco.solidity-vlang was downloaded more than 53,000 times while it remained on the registry. The malicious update replaced an initially harmless package and kept the malware functional even if the primary server goes offline.

Related Happenings

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm open-source supply-chain campaign targeting developers

Campaign
First: 14.03.2026 14:55 Last: 14.03.2026 14:55 Sources 1

About this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems

Malware Activity
First: 03.02.2026 00:04 Last: 03.02.2026 00:04 Sources 1

About this happening: **GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...

Open Happening

GlassWorm campaign returns in repeated waves across extension marketplaces

Campaign
First: 01.01.2026 17:18 Last: 01.01.2026 17:18 Sources 1

About this happening: **GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

Glassworm third-wave malicious VS Code packages

Malware Activity
First: 01.12.2025 23:08 Last: 01.12.2025 23:08 Sources 1

About this happening: The **Glassworm** malware has returned in a **third wave** of malicious **VS Code marketplace packages**, expanding exposure for developers who install extensions from **OpenVSX**...

Open Happening

Timeline

  1. 03.11.2025 22:50 1 articles · 6mo ago

    Harmless version 0.0.7 of juan-bianco.solidity-vlang is submitted to Open VSX

    Untyped Phase

    The juan-bianco.solidity-vlang extension is submitted to Open VSX as version 0.0.7 without malicious capabilities.

    Show sources
    Open in new tab
  2. 03.11.2025 22:50 1 articles · 6mo ago

    Malicious update adds SleepyDuck to the Open VSX Solidity package

    Untyped Phase

    The juan-bianco.solidity-vlang package gains malicious capabilities the next day after its October 31 submission, turning the Open VSX Solidity extension into a SleepyDuck delivery vehicle while the download count has already reached 14,000.

    Show sources
    Open in new tab
  3. 03.11.2025 22:50 1 articles · 6mo ago

    Open VSX package version 0.1.3 reaches 53,439 downloads

    Untyped Phase

    By November 2nd, the juan-bianco.solidity-vlang package is still present on Open VSX with a platform warning and has been downloaded 53,439 times since submission.

    Show sources
    Open in new tab
  4. 03.11.2025 22:50 2 articles · 6mo ago

    Secure Annex describes SleepyDuck's Ethereum-based C2 and persistence

    Technical Analysis Update

    Secure Annex says SleepyDuck uses Ethereum contracts to update its command-and-control (C2) server address and maintain long-term persistence, can stay functional if sleepyduck[.]xyz goes offline, and collects hostname, username, MAC address, and timezone before entering a polling loop that fetches new instructions from the blockchain.

    Show sources
    Open in new tab