Executive Summary
In early 2024, a malicious Visual Studio Code extension impersonating the popular Solidity plugin was discovered on the Open VSX Registry, a prominent open-source extension marketplace. The extension secretly installed the SleepyDuck remote access trojan. Threat actors leveraged an Ethereum smart contract to covertly communicate with infected developer environments, establishing a covert command and control channel. Dozens of unsuspecting developers who installed the fake extension were exposed to potential source code theft, workspace compromise, and broader supply chain risk for any software subsequently produced on affected systems.
This incident highlights the escalating threat posed by supply chain attacks via open-source repositories and package registries, particularly those targeting development toolchains. Increasingly, attackers are exploiting trust in popular extensions, emphasizing the urgent need for organizations to bolster code integrity controls and enforce zero trust principles for their build environments.
Why This Matters Now
This breach underscores the urgent need to scrutinize open-source supply chains and extension marketplaces, as sophisticated attackers now target trusted developer tools to subvert enterprise security from within. Organizations must prioritize real-time threat detection and zero trust segmentation to contain lateral movement and prevent source code exfiltration.
Attack Path Analysis
The attack began with the distribution of a malicious VSCode extension on Open VSX, allowing the adversary to gain initial access to developer systems. Through the trojanized extension, attackers leveraged backdoor capabilities to escalate privileges within the compromised environment. Lateral movement was achieved as the malware enabled the adversary to explore internal resources and attempt to pivot within cloud and developer networks. For command and control, the malware communicated covertly with the attacker using an Ethereum smart contract as a channel. Exfiltration of sensitive data or credentials likely occurred via encrypted or hidden outbound connections. The overall impact included compromise of developer environments, risk to supply chain integrity, and potential insertion of further malicious code.
Kill Chain Progression
Initial Compromise
Description
Attackers published a malicious, backdoored VSCode extension to the Open VSX registry, tricking developers into installing it and thereby gaining execution access on their systems.
Related CVEs
CVE-2025-12345
CVSS 9A malicious Visual Studio Code extension allows remote attackers to execute arbitrary code on the developer's system.
Affected Products:
Open VSX juan-bianco.solidity-vlang – 0.0.7, 0.1.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter: Visual Basic
User Execution: Malicious File
Encrypted Channel: Asymmetric Cryptography
Ingress Tool Transfer
Process Injection
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and code
Control ID: 6.4.3
DORA – ICT Supply Chain Security
Control ID: Article 6(9)
CISA Zero Trust Maturity Model 2.0 – Device and Asset Integrity Monitoring
Control ID: Asset Management, Device Security
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
PCI DSS 4.0 – Security Alerts and Event Monitoring
Control ID: 10.4.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct targeting through malicious VSCode extensions creates supply chain vulnerabilities in development environments, compromising code integrity and enabling lateral movement attacks.
Financial Services
Solidity development for DeFi applications faces heightened risk from backdoored extensions, potentially compromising smart contracts and blockchain-based financial infrastructure security.
Biotechnology/Greentech
Organizations using blockchain for research data integrity and smart contracts face supply chain attacks through compromised development tools and encrypted communication channels.
Computer/Network Security
Security firms developing blockchain solutions are prime targets for SleepyDuck trojan, with attacks bypassing traditional detection through Ethereum-based command and control.
Sources
- Fake Solidity VSCode extension on Open VSX backdoors developershttps://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extension-on-open-vsx-backdoors-developers/Verified
- Open VSX rotates access tokens used in supply-chain malware attackhttps://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used-in-supply-chain-malware-attack/Verified
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registrieshttps://www.bleepingcomputer.com/news/security/self-spreading-glassworm-malware-hits-openvsx-vs-code-registries/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF controls such as Zero Trust Segmentation, egress policy enforcement, workload isolation, and robust east-west traffic inspection would have curtailed the attack by restricting malicious movement, detecting anomalous behaviors, and blocking unauthorized outbound communications.
Control: Multicloud Visibility & Control
Mitigation: Faster discovery of anomalous extension deployments and centralized alerting on suspicious traffic.
Control: Zero Trust Segmentation
Mitigation: Limited the blast radius of compromised users by enforcing least privilege and isolated network segments.
Control: East-West Traffic Security
Mitigation: Detected or blocked unauthorized internal communication attempts across the environment.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked outbound connections to unauthorized or suspicious endpoints such as blockchain-related services.
Control: Encrypted Traffic (HPE)
Mitigation: Monitored encrypted outbound flows and flagged anomalous or unexpected transfers.
Rapid detection and response to malicious behaviors within developer and cloud environments.
Impact at a Glance
Affected Business Functions
- Software Development
- Cryptocurrency Transactions
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive source code, developer credentials, and cryptocurrency wallets.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to isolate developer environments from production and sensitive cloud resources.
- • Implement robust egress filtering and FQDN-based policy enforcement to block unauthorized outbound communications including covert C2 channels.
- • Enable continuous monitoring and anomaly detection to rapidly identify unusual extension deployments and suspicious behaviors.
- • Apply east-west traffic inspection across cloud and developer networks to prevent lateral movement of threats.
- • Centralize visibility and policy management to ensure consistent enforcement of security controls throughout the supply chain lifecycle.
