New ‘sleepyduck’ Malware In Open Vsx Marketplace Allow Attackers To...

A sophisticated remote access trojan named SleepyDuck has infiltrated the Open VSX IDE extension marketplace, targeting developers using code editors like Cursor and Windsurf.

The malware disguised itself as a legitimate Solidity extension under the identifier juan-bianco.solidity-vlang, exploiting name squatting techniques to deceive unsuspecting users.

Initially published on October 31st as version 0.0.7, the extension appeared harmless until it was maliciously updated to version 0.0.8 on November 1st, gaining new capabilities after accumulating 14,000 downloads.

The extension masquerades as a development tool for Solidity programming, a language commonly used in blockchain and smart contract development.

Attackers leveraged this popular category to maximize their victim pool among cryptocurrency developers and blockchain engineers.

What makes this threat particularly dangerous is its ability to establish persistent remote access to infected Windows systems while maintaining stealth through various evasion techniques.

Secure Annex analysts identified the malware’s unique persistence mechanism that utilizes Ethereum blockchain contracts to maintain command and control infrastructure.

This innovative approach allows attackers to update their control server addresses even if the primary domain is seized or taken offline.

The malware communicates with sleepyduck[.]xyz as its default command and control server, employing a 30-second polling interval to receive instructions from threat actors.

The infection begins when the extension activates upon opening a new code editor window or selecting a .sol file.

Source: Cybersecurity News