VDB
GCVE-110-OSM-2026-389
GCVE-110-OSM-2026-389
Advisory PublishedCVSS 8.8/10
Malicious package detected. Behaviors: code execution.
Microsoft removal context:
Extension ID: liuxy-CN.preview-everything
Publisher: liuxy-CN
Removal Date: 6/7/2026
Violation Type: impersonation
Removed from the VS Code Marketplace by Microsoft for violating marketplace policies.
Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md
ENTRY
out/extension.js (vscode-activation: [object Object])
DESTINATION
- bitcoinAddresses: 1f7CCYhUn2pu6LGaVVvPKbPn4d4iWi (exfil, plaintext)
- bitcoinAddresses: 1MAVAAAABP7RAVGBQAAFPtEBTUFAAAV (exfil, plaintext)
- bitcoinAddresses: 1jcFj9B76P43Ks4P9tpZrc7GyfLGm (exfil, plaintext)
- bitcoinAddresses: 15aSn5Z6L5py656Wo55CG6Kej5Yy (exfil, plaintext)
ADDITIONAL FINDINGS
- Shell Command Execution in out/extension.js: "require("child_process")"
PAYLOAD FILES
out/extension.js
INDICATORS (IOCs)
- ipv4: 1.0.0.0
- ipv6: 0::, c2::
- urls: https://www.plantuml.com/plantuml, http://momentjs.com/guides/#/warnings/define-locale/, http://momentjs.com/guides/#/warnings/js-date/, http://momentjs.com/guides/#/warnings/min-max/, http://momentjs.com/guides/#/warnings/add-inverted-param/ (+45 more)
- domains: gf.Cc, Tg.Cc, global.global, www.plantuml.com, momentjs.com (+12 more)
- emails: s.mellai@arduino.cc, vast@whiteants.net
- payloadFileHash: de80492646b87b9b68605ad46e5c880ec76248d874aca6ebd9e448f1b689bb1c
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | TheRealGorgan.vscode-google-tasks-extension | all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | 723Studio.fta-ruleset-tools | all (affected) | — |
| unknown | liuxy-CN.preview-everything | 3.6.2 (affected) | — |
| unknown | Acronix-dev.Go-work-tools | all (affected), * (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | tokcodes.import-cost-extension | all (affected) | — |
References
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.