VDB
GCVE-110-OSM-2026-3740
GCVE-110-OSM-2026-3740
Advisory PublishedCVSS 9.6/10
Malicious vscode tasks.json file delivers malware to user device when the repository is opened as trusted workspace on user device.
Attacker delivers malware using two vectors, first one is malicious vscode tasks.json.
Second one during runtime attacker steals all environment variables to attacker controlled C2 base64 encoded in .env file, the returned payload also results in code execution user device.
Payloads are obfuscated JS malware.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.