VDB
GCVE-110-OSM-2026-349
GCVE-110-OSM-2026-349
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: code execution, network activity.
Microsoft removal context:
Extension ID: RoyHtml.xampp-manager
Publisher: RoyHtml
Removal Date: 6/1/2026
Violation Type: malware
Removed from the VS Code Marketplace by Microsoft for violating marketplace policies.
Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md
ENTRY
out/extension.js (vscode-activation: [object Object])
DESTINATION
- loader: https://drive.google.com/file/d/1eLMIazoDioccAmORp1LIN2S_CzrlnV0_/preview (loader, plaintext) in out/extension.js
EXFIL
- Google Drive Remote Code Loader in out/extension.js: "drive.google.com/file/d/1eLMIazoDioccAmORp1LIN2S_CzrlnV0_"
ADDITIONAL FINDINGS
- Shell Command Execution in web/web.js: "require('child_process')"
PAYLOAD FILES
out/extension.js
INDICATORS (IOCs)
- ipv4: 12.22.37.29, 24.24.41.48
- urls: http://timestamp.digicert.com, https://meta.panel, http://*/*, https://*/*, https://\x1b[0m\r\n\x1b[1;32mYou:\x1b[0m (+3 more)
- domains: libc.so, api.qrserver.com, api.vercel.com, main.sh, timestamp.digicert.com (+5 more)
- emails: dev@meta.com
- payloadFileHash: 922a3d422d5cbcc3af1d79c6c818c370133fb23ae18ce896fbec0365a1e55206
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | Rimworld.References.Net | all (affected) | — |
| unknown | RoyHtml.xampp-manager | 5.0.1 (affected) | — |
| unknown | gvotcha.claude-code-extension | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | ko-zu-gun-studio.synchronization-settings-vscode | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | gvotcha.claude-code-extensions | all (affected) | — |
References
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.