Cybersecurity Headlines "SleepyDuck" uses Ethereum, SesameOp abuses OpenAI API, cybercrooks steal physical cargo
Nov 4, 2025
Explore the rising threat of the 'SleepyDuck' VS Code extension that utilizes Ethereum for nefarious command server updates. Dive into the alarming misuse of OpenAI’s API for espionage by SesameOp. Discover how cybercriminals are colluding with organized crime to hijack physical cargo shipments. Learn about new Windows vulnerabilities that can lead to remote code execution. The world of cyber threats is evolving, and the stakes have never been higher!
AI Snips
Chapters
Transcript
Episode notes
Extension Turns Malicious After Many Installs
- SecureAnnex found a Visual Studio extension called Sleepy Duck that turned malicious after ~14,000 installs.
- The attackers used an Ethereum contract to dynamically update the extension's C2 address to evade blocking.
Persistent C2 And Cryptocurrency Mining Link
- Sleepy Duck collects system details and contacts its command server every 30 seconds when a Solidity file is opened.
- The same group also deployed rogue VS Code extensions that mine Monero via PowerShell scripts.
AI Assistance API Misused As C2 Channel
- Microsoft found SesameOp using the OpenAI Assistance API as a covert C2 channel active since July.
- Attackers relayed encrypted commands through OpenAI infrastructure instead of traditional malicious servers.