On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader, These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases.
In the latest instance detected by the enterprise extension security firm, the malware is triggered when a new code editor window is opened or a .sol file is selected. Specifically, it's configured to find the fastest Ethereum Remote Procedure Call (RPC) provider to connect to in order to obtain access to the blockchain, initialize contact with a remote server at "sleepyduck[.]xyz" (hence the name) via the contract address " 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465," and kicks off a polling loop that checks for new commands to be executed on the host every 30 seconds.