Author | Lightnews

Reposted by tuckner

Catalin Cimpanu @campuscodi.risky.biz · 21h

-Couple loses fortune to scammers
-Valid accounts still rule the day for initial access
-Open VSX rotate leaked creds
-ZeroAccess botnet dev is now a software dev
-BadCandy flourishes in Australia
-New Katreus miner
-Malware reports on Aura Stealer, SectopRAT, SleepyDuck RAT, OysterLoader

1 4 6

tuckner @johntuckner.me · 14h

Full details here - secureannex.com/blog/sleepyd...

SleepyDuck malware invades Cursor through Open VSX

The advanced SleepyDuck IDE extension RAT uses Ethereum contracts for persistence.

secureannex.com

tuckner @johntuckner.me · 14h

You can watch these updates by monitoring the contract. For instance this was an update of the C2 server from localhost to it's currently active domain.

1

tuckner @johntuckner.me · 14h

If the original C2 server is taken down, the extension will check a smart contract hosted on the Ethereum blockchain for new server details. It also allows for 'emergency' command execution through the extension.

1

tuckner @johntuckner.me · 14h

Responses from the command and control server will be executed in the sandbox on the endpoint allowing full machine access.

1

tuckner @johntuckner.me · 14h

The extension initializes by getting machine details, contacting sleepyduck, and creating a sandbox environment for code execution

1

tuckner @johntuckner.me · 14h

From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.

1 1

tuckner @johntuckner.me · 14h

Full details here - secureannex.com/blog/sleepyd...

SleepyDuck malware invades Cursor through Open VSX

The advanced SleepyDuck IDE extension RAT uses Ethereum contracts for persistence.

secureannex.com

tuckner @johntuckner.me · 14h

You can watch these updates by monitoring the contract. For instance this was an update of the C2 server from localhost to it's currently active domain.

1

tuckner @johntuckner.me · 14h

If the original C2 server is taken down, the extension will check a smart contract hosted on the Ethereum blockchain for new server details. It also allows for 'emergency' command execution through the extension.

1

tuckner @johntuckner.me · 14h

Responses from the command and control server will be executed in the sandbox on the endpoint allowing full machine access.

1

tuckner @johntuckner.me · 14h

The extension initializes by getting machine details, contacting sleepyduck, and creating a sandbox environment for code execution

1

tuckner @johntuckner.me · 14h

From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.

1 1

tuckner @johntuckner.me · 2d

The SleepyDuck code extension malware is an advanced remote access trojan allowing for remote command execution on any endpoint that installs it. Take down the C2 server? It uses an Ethereum contract to update its settings to a new endpoint.

secureannex.com/blog/sleepyd...

SleepyDuck malware invades Cursor through Open VSX

The advanced SleepyDuck IDE extension RAT uses Ethereum contracts for persistence.

secureannex.com

3 1

tuckner @johntuckner.me · 3d

If you're against 100 grand and gummy clusters, you should just retire from the game.

tuckner @johntuckner.me · 3d

If you thought you were ahead by using Windsurf... nope!

Check out the @secureannex.com extension to protect yourself from malicious extensions right now.

open-vsx.org/extension/se...

tuckner @johntuckner.me · 3d

Today's edition of pick the right solidity in Cursor. Yes - this IS different than yesterday

tuckner @johntuckner.me · 4d

... and this one from August

bsky.app/profile/john...

tuckner @johntuckner.me · Aug 22

This is how the extension appears when a user searches "solidity" Cursor. "Test Extension" was already the 4th option and had the most installs. Hours later it was updated to look MUCH more convincing.

tuckner @johntuckner.me · 4d

This screenshot is from today but looks oddly familiar to this one from September

bsky.app/profile/john...

tuckner @johntuckner.me · Sep 7

Six malicious extensions listed in Cursor and hosted on Open VSX. All are squatting on other packages and are showing above the safe versions they target.

1

tuckner @johntuckner.me · 4d

Three malicious solidity extensions were published to Open VSX today.

Would you be able to tell which is the real one in Cursor?

This repeated behavior has been going on since June and anyone can detect it by just matching against 'solidity'. When will progress be made?

1

tuckner @johntuckner.me · 4d

Most of us just want a Pikachu sprite dancing on our code, but threat actors want to spoil the fun. Yesterday five malicious VS Code extensions were published, one a Pokemon theme and syntax highlighter, but instead disable Windows Defender and installs a cryptominer

secureannex.com/blog/pokemon...

tuckner @johntuckner.me · 6d

🫡🫡🫡🫡

tuckner @johntuckner.me · 7d

My first response from VS Marketplace support is requesting supporting additional evidence I have that this listing is malware.

If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?

1 1

tuckner @johntuckner.me · 10d

The "test malware" made it's way into the VS Marketplace easily

2

tuckner @johntuckner.me · 10d