The SleepyDuck malware is embedded within a Visual Studio Code extension named juan-bianco.solidity-vlang, published on the Open VSX registry. Initially released as a benign Solidity language support library, it was updated shortly after to include a remote access trojan component. The malware activates when a user opens a new code editor window or selects a Solidity (.sol) file, targeting developers working with Ethereum smart contracts. SleepyDuck uses advanced sandbox evasion techniques to avoid detection and connects to an Ethereum smart contract to retrieve its command and control (C2) server address. This blockchain-based approach allows the malware to maintain persistence and resilience; if the primary C2 domain (sleepyduck[.]xyz) is taken down, the malware queries predefined Ethereum RPC endpoints to obtain updated server information from the smart contract. The malware collects system details such as hostname, username, MAC address, and timezone, exfiltrating this data to the attacker’s server. It polls the C2 every 30 seconds for new commands, enabling remote execution on the infected host. The Ethereum contract was created on October 31, 2025, and updated multiple times to change server details, demonstrating active attacker control. This attack represents a sophisticated supply chain compromise targeting the developer ecosystem, leveraging blockchain technology to evade takedown efforts and maintain control. Additionally, related malicious extensions have been found distributing cryptocurrency miners, indicating a broader campaign targeting VS Code users. The threat underscores the risks of malicious code injection in widely used development tools and the innovative use of blockchain for malware resilience.

For European organizations, especially those involved in blockchain development, smart contract programming, or software development using Visual Studio Code, this threat poses significant risks. The malware’s ability to exfiltrate system information can lead to exposure of sensitive internal data, user credentials, and network topology, facilitating further attacks. The use of Ethereum smart contracts for C2 infrastructure complicates takedown efforts, increasing the persistence and stealth of the malware. This can result in prolonged undetected access, enabling espionage, data theft, or deployment of additional payloads such as cryptocurrency miners or ransomware. The supply chain nature of the attack undermines trust in development tools and can disrupt software development pipelines. Organizations may face operational disruptions, intellectual property theft, and reputational damage. The threat also highlights the risk of indirect compromise through developer workstations, which can be pivot points into corporate networks. Given the growing adoption of blockchain technologies in Europe, the impact could extend to financial institutions, fintech startups, and enterprises integrating Ethereum-based solutions.

1. Enforce strict policies for extension installation, restricting to verified and trusted publishers only, and regularly audit installed extensions for anomalies. 2. Implement behavioral monitoring on developer workstations to detect unusual network connections, especially to blockchain RPC endpoints and suspicious domains like sleepyduck[.]xyz. 3. Deploy endpoint detection and response (EDR) solutions with capabilities to detect sandbox evasion techniques and unusual polling behaviors. 4. Monitor Ethereum blockchain activity related to suspicious smart contracts to identify potential C2 infrastructure and update threat intelligence accordingly. 5. Educate developers on the risks of installing unverified extensions and encourage use of internal vetted extension repositories. 6. Collaborate with VS Code marketplace and Open VSX maintainers to report and remove malicious extensions promptly. 7. Use network segmentation to isolate developer environments and limit lateral movement in case of compromise. 8. Regularly update and patch development tools and underlying operating systems to reduce exploitation vectors. 9. Implement multi-factor authentication and strong credential management to mitigate risks from stolen credentials. 10. Conduct threat hunting exercises focusing on blockchain-related malware indicators and unusual RPC traffic patterns.