VDB

GCVE-110-OSM-2026-3740

GCVE-110-OSM-2026-3740
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 9, 2026
Malicious vscode tasks.json file delivers malware to user device when the repository is opened as trusted workspace on user device. Attacker delivers malware using two vectors, first one is malicious vscode tasks.json. Second one during runtime attacker steals all environment variables to attacker controlled C2 base64 encoded in .env file, the returned payload also results in code execution user device. Payloads are obfuscated JS malware.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›