VDB

GCVE-110-OSM-2026-389

GCVE-110-OSM-2026-389
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 9, 2026
Malicious package detected. Behaviors: code execution. Microsoft removal context: Extension ID: liuxy-CN.preview-everything Publisher: liuxy-CN Removal Date: 6/7/2026 Violation Type: impersonation Removed from the VS Code Marketplace by Microsoft for violating marketplace policies. Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md ENTRY out/extension.js (vscode-activation: [object Object]) DESTINATION - bitcoinAddresses: 1f7CCYhUn2pu6LGaVVvPKbPn4d4iWi (exfil, plaintext) - bitcoinAddresses: 1MAVAAAABP7RAVGBQAAFPtEBTUFAAAV (exfil, plaintext) - bitcoinAddresses: 1jcFj9B76P43Ks4P9tpZrc7GyfLGm (exfil, plaintext) - bitcoinAddresses: 15aSn5Z6L5py656Wo55CG6Kej5Yy (exfil, plaintext) ADDITIONAL FINDINGS - Shell Command Execution in out/extension.js: "require("child_process")" PAYLOAD FILES out/extension.js INDICATORS (IOCs) - ipv4: 1.0.0.0 - ipv6: 0::, c2:: - urls: https://www.plantuml.com/plantuml, http://momentjs.com/guides/#/warnings/define-locale/, http://momentjs.com/guides/#/warnings/js-date/, http://momentjs.com/guides/#/warnings/min-max/, http://momentjs.com/guides/#/warnings/add-inverted-param/ (+45 more) - domains: gf.Cc, Tg.Cc, global.global, www.plantuml.com, momentjs.com (+12 more) - emails: s.mellai@arduino.cc, vast@whiteants.net - payloadFileHash: de80492646b87b9b68605ad46e5c880ec76248d874aca6ebd9e448f1b689bb1c

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownTheRealGorgan.vscode-google-tasks-extensionall (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected)
unknown723Studio.fta-ruleset-toolsall (affected)
unknownliuxy-CN.preview-everything3.6.2 (affected)
unknownAcronix-dev.Go-work-toolsall (affected), * (affected), all (affected), all (affected), all (affected), * (affected)
unknowntokcodes.import-cost-extensionall (affected)

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›