VDB

GCVE-110-OSM-2026-3470

GCVE-110-OSM-2026-3470
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Malicious VSCode tasks.json that delivers malware to user device, when the repository is opened as trusted workspace on visual studio code. The payload URL uses URL shortner that aligns with the TasksJacker campaign reported by OSM. The attacker C2 is hosted at 165[.]140[.]86[.]190, the final payload delivers infostealer malware.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown* (affected)

References

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›