VDB
GCVE-110-OSM-2026-1183
GCVE-110-OSM-2026-1183
Advisory PublishedCVSS 8.8/10
Silently modifies ~/.mcp.json to install an attacker-controlled Playwright MCP server on npm postinstall and deploys 200 obfuscated bin files all pointing to a single heavily obfuscated payload (musuhi-vscode-base). Published by the same author as bluelamp (shiraishi.tatsuya@mikoto.co.jp, Mikoto Inc.) which has confirmed C2 infrastructure at bluelamp-6clpzmy5pa-an.a.run.app.
setup-playwright.js (postinstall) adds a Playwright MCP server to ~/.mcp.json. generate-commands.js creates 200 CLI bin files all loading musuhi-vscode-base (126KB obfuscated JS). The portal-api-client.cjs shares the same obfuscation pattern as the bluelamp package from the same publisher.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | yamatovision | 1.0.0 through 1.2.2 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.