VDB

GCVE-110-OSM-2026-350

GCVE-110-OSM-2026-350
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 9, 2026
Malicious package detected. Behaviors: code execution. Microsoft removal context: Extension ID: RoyHtml.meta-lang Publisher: RoyHtml Removal Date: 6/1/2026 Violation Type: untrustworthy Removed from the VS Code Marketplace by Microsoft for violating marketplace policies. Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md ENTRY out/extension.js (vscode-activation: [object Object]) DESTINATION - telegram-bot: api.telegram.org/bot`{token}`/getUpdates (primary, plaintext) in template_env/Lib/site-packages/tqdm/contrib/telegram.py - ipv4: 4.10.22.7 (c2, plaintext) - domains: api.pexels.com (c2, plaintext) - bitcoinAddresses: 3NiAGhEZGM1hmYFW9snjdufE5Btf (exfil, plaintext) OBFUSCATION - Decoded Base64 Content in template_env/Scripts/Activate.ps1 (x30) - Decoded Hex Escape Content in template_env/Lib/site-packages/PIL/WalImageFile.py (x7) - recovered 10 urls, 5 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Shell Command Execution in out/extension.js: "require('child_process')" PAYLOAD FILES template_env/Scripts/Activate.ps1 INDICATORS (IOCs) - ipv4: 7.9.2.2, 6.0.0.0, 4.5.4.60, 4.5.4.58, 4.6.0.66 (+11 more) - ipv6: 3::, 1::, 37::, 111::, 33:: (+7 more) - urls: https://bugs.ghostscript.com/show_bug.cgi?id=698272, https://www.matthewflickinger.com/lab/whatsinagif/bits_and_bytes.asp, https://www.cazabon.com, https://www.cazabon.com/pyCMS, https://www.littlecms.com (+55 more) - domains: api.remove.bg, oss.sgi.com, bugs.ghostscript.com, www.adobe.com, partners.adobe.com (+30 more) - emails: jerome@leclan.ch, kevin@cazabon.com, aurelien.ballier@cyclonit.com, gcoats@labiris.er.usgs.gov, gregc@cgl.ucsf.edu (+26 more) - sha256Hashes: dbca16040fd2b85a499ba59833b37f1785c58e52d2e89ce5cdfc7fff164bd5f3, 83f4e63681fcba8a9d7bbb1688c71981b1837446514a1773597e0192bba9fac3, 5dd94a95025f3b6e3dd440d52f7c6d2964fdd1aa119e0ee92e38c7bf83829e5c, 0b1d3d3664915577ab9a32188d29bbf3542b86c7b9ce333e245496c3018819f1, e8d3bff0c1a9a6955993f7a441121a2692261421e82fdfadaaded45d3bea9980 (+2 more) - payloadFileHash: 80f829e1c4f02707129635600349e476a6cfa1477107ce6b5a27616c50bdf083

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownflutxvs.vscode-kuberntes-extensionall (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknownRoyHtml.meta-lang1.0.4 (affected)
unknownRimworld.Reference.Libary* (affected)
unknowngvotcha.claude-code-extensionall (affected)
unknownkharizma.vscode-extension-wakatimeall (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected)

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›