A new malicious extension named juan-bianco.solidity-vlang (version 0.0.7) has surfaced in the Open VSX registry, containing a remote access trojan called SleepyDuck. Initially released on October 31, 2025, it was updated the next day to version 0.0.8, which introduced harmful features after garnering 14,000 downloads. John Tuckner from Secure Annex highlighted the extension’s ability to evade detection and its use of an Ethereum contract to switch command and control addresses if the original is compromised. The malware activates when users open a new code editor window or select a .sol file. It seeks the fastest Ethereum Remote Procedure Call (RPC) provider to connect to the blockchain and communicates with a remote server at “sleepyduck[.]xyz.” The trojan checks for commands every 30 seconds and can collect sensitive system data, like hostname and MAC address, sending this information to its server. If the main domain is taken down, the malware can switch to a list of backup Ethereum RPC addresses to maintain its operations. This incident is part of a broader trend, with multiple rogue extensions targeting Solidity developers. In a related case, a Russian developer lost $500,000 in cryptocurrency after installing a harmful extension through Cursor. Recently, another set of five extensions published by a user named “developmentinc” also posed threats, with one featuring a Pokémon theme that downloaded a Monero mining script upon installation. Users are urged to be cautious when downloading extensions and to verify their sources, as Microsoft has begun implementing regular scans to identify malicious content in its marketplace.