‘SleepyDuck’ Malware in Open VSX Lets Attackers Remotely Control Windows PCs

Security researchers have identified a dangerous remote access trojan called SleepyDuck lurking in the Open VSX IDE extension marketplace, targeting developers who use code editors like Cursor and Windsurf.

The malicious extension masqueraded as a legitimate Solidity programming language helper, squatting on the name of an established extension to evade detection.

The compromised extension juan-bianco.solidity-vlang received over 14,000 downloads before the malicious payload was injected, demonstrating the severity of supply chain attacks targeting developer tools.

The attack unfolded in two stages. The extension was initially published on October 31st as an apparently harmless tool.

However, on November 1st, the developers behind the extension pushed a critical update to version 0.0.8 that introduced remote access capabilities.

This delayed activation strategy allowed the malware to establish a foothold on thousands of systems before detection became apparent.

Subsequent updates modified the extension’s activation events to ...