VDB

GCVE-110-OSM-2026-1013

GCVE-110-OSM-2026-1013
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 27, 2026
SleepyDuck / Solidity-vlang (October-November 2025): Solidity (typosquat of juan-blanco) by juan-bianco. Backdoor with Ethereum blockchain C2. Status: Present with warning Remote Access Trojan (SleepyDuck) targeting Solidity/smart contract developers via typosquatted extension. Activates when a new editor window opens or any .sol file is selected. Implements Ethereum-based C2 resilience: discovers fastest available Ethereum RPC provider, then queries smart contract at 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465 to retrieve current C2 server address. This dead drop resolver pattern allows threat actor (wallet: 0x0edcfe26cf600fb56ae6aaf3f1d943c811314573) to dynamically update C2 infrastructure via blockchain transactions, bypassing traditional domain takedowns. Fallback mechanism includes predefined list of Ethereum RPC endpoints if primary resolution fails. Primary C2 server: sleepyduck[.]xyz. Establishes polling loop checking for commands every 30 seconds. Exfiltrates system reconnaissance including hostname, username, MAC address, and timezone. Supports remote command execution, dynamic server reconfiguration via contract updates, and emergency broadcast commands to all infected endpoints. Includes sandbox evasion techniques. Initially published as benign version 0.0.7 on Oct 31, 2025, then updated to malicious v0.0.8 on Nov 1 after accumulating ~14,000 downloads (likely artificially inflated to boost search ranking). Part of ongoing campaign targeting Solidity developers across VS Code Marketplace and Open VSX registries.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownSolidity (typosquat of juan-blanco)all (affected)

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›