VDB
GCVE-110-OSM-2026-350
GCVE-110-OSM-2026-350
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: code execution.
Microsoft removal context:
Extension ID: RoyHtml.meta-lang
Publisher: RoyHtml
Removal Date: 6/1/2026
Violation Type: untrustworthy
Removed from the VS Code Marketplace by Microsoft for violating marketplace policies.
Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md
ENTRY
out/extension.js (vscode-activation: [object Object])
DESTINATION
- telegram-bot: api.telegram.org/bot`{token}`/getUpdates (primary, plaintext) in template_env/Lib/site-packages/tqdm/contrib/telegram.py
- ipv4: 4.10.22.7 (c2, plaintext)
- domains: api.pexels.com (c2, plaintext)
- bitcoinAddresses: 3NiAGhEZGM1hmYFW9snjdufE5Btf (exfil, plaintext)
OBFUSCATION
- Decoded Base64 Content in template_env/Scripts/Activate.ps1 (x30)
- Decoded Hex Escape Content in template_env/Lib/site-packages/PIL/WalImageFile.py (x7)
- recovered 10 urls, 5 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Shell Command Execution in out/extension.js: "require('child_process')"
PAYLOAD FILES
template_env/Scripts/Activate.ps1
INDICATORS (IOCs)
- ipv4: 7.9.2.2, 6.0.0.0, 4.5.4.60, 4.5.4.58, 4.6.0.66 (+11 more)
- ipv6: 3::, 1::, 37::, 111::, 33:: (+7 more)
- urls: https://bugs.ghostscript.com/show_bug.cgi?id=698272, https://www.matthewflickinger.com/lab/whatsinagif/bits_and_bytes.asp, https://www.cazabon.com, https://www.cazabon.com/pyCMS, https://www.littlecms.com (+55 more)
- domains: api.remove.bg, oss.sgi.com, bugs.ghostscript.com, www.adobe.com, partners.adobe.com (+30 more)
- emails: jerome@leclan.ch, kevin@cazabon.com, aurelien.ballier@cyclonit.com, gcoats@labiris.er.usgs.gov, gregc@cgl.ucsf.edu (+26 more)
- sha256Hashes: dbca16040fd2b85a499ba59833b37f1785c58e52d2e89ce5cdfc7fff164bd5f3, 83f4e63681fcba8a9d7bbb1688c71981b1837446514a1773597e0192bba9fac3, 5dd94a95025f3b6e3dd440d52f7c6d2964fdd1aa119e0ee92e38c7bf83829e5c, 0b1d3d3664915577ab9a32188d29bbf3542b86c7b9ce333e245496c3018819f1, e8d3bff0c1a9a6955993f7a441121a2692261421e82fdfadaaded45d3bea9980 (+2 more)
- payloadFileHash: 80f829e1c4f02707129635600349e476a6cfa1477107ce6b5a27616c50bdf083
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | flutxvs.vscode-kuberntes-extension | all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | RoyHtml.meta-lang | 1.0.4 (affected) | — |
| unknown | Rimworld.Reference.Libary | * (affected) | — |
| unknown | gvotcha.claude-code-extension | all (affected) | — |
| unknown | kharizma.vscode-extension-wakatime | all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
References
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.