A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker.

Open VSX is a community-driven registry for extensions compatible with VS Code, which are popular with AI-powered integrated development environments (IDEs) like Cursor and Windsurf.

The extension is still present on Open VSX as ‘juan-bianco.solidity-vlang’, albeit with a warning from the platform, and has been downloaded more than 53,000 times.