VDB

GCVE-110-OSM-2026-349

GCVE-110-OSM-2026-349
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 9, 2026
Malicious package detected. Behaviors: code execution, network activity. Microsoft removal context: Extension ID: RoyHtml.xampp-manager Publisher: RoyHtml Removal Date: 6/1/2026 Violation Type: malware Removed from the VS Code Marketplace by Microsoft for violating marketplace policies. Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md ENTRY out/extension.js (vscode-activation: [object Object]) DESTINATION - loader: https://drive.google.com/file/d/1eLMIazoDioccAmORp1LIN2S_CzrlnV0_/preview (loader, plaintext) in out/extension.js EXFIL - Google Drive Remote Code Loader in out/extension.js: "drive.google.com/file/d/1eLMIazoDioccAmORp1LIN2S_CzrlnV0_" ADDITIONAL FINDINGS - Shell Command Execution in web/web.js: "require('child_process')" PAYLOAD FILES out/extension.js INDICATORS (IOCs) - ipv4: 12.22.37.29, 24.24.41.48 - urls: http://timestamp.digicert.com, https://meta.panel, http://*/*, https://*/*, https://\x1b[0m\r\n\x1b[1;32mYou:\x1b[0m (+3 more) - domains: libc.so, api.qrserver.com, api.vercel.com, main.sh, timestamp.digicert.com (+5 more) - emails: dev@meta.com - payloadFileHash: 922a3d422d5cbcc3af1d79c6c818c370133fb23ae18ce896fbec0365a1e55206

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownRimworld.References.Netall (affected)
unknownRoyHtml.xampp-manager5.0.1 (affected)
unknowngvotcha.claude-code-extensionall (affected), all (affected), all (affected), all (affected), all (affected), all (affected)
unknownko-zu-gun-studio.synchronization-settings-vscodeall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknowngvotcha.claude-code-extensionsall (affected)

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›