VDB
GCVE-110-OSM-2026-421
GCVE-110-OSM-2026-421
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution.
Microsoft removal context:
Extension ID: Embedder.embedder-infineon
Publisher: Embedder
Removal Date: 5/22/2026
Violation Type: untrustworthy
Removed from the VS Code Marketplace by Microsoft for violating marketplace policies.
Source: https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md
Entrypoint: out/extension.js (vscode-activation: [object Object])
Exfil: https://www.rfc-editor.org/rfc/rfc5789.html (custom-c2, recovery: plaintext in out/extension.js)
Payload: out/extension.js
Key findings:
- Environment Variable Exfiltration in out/extension.js: "process.env["GITHUB_SHA"] || // GitLab CI - https://docs.gitlab.com/ee/ci/variab..."
- Shell Command Execution in out/extension.js: "child_process").spawn"
IOCs:
- urls: https://docs.embedder.com/changelog, https://app.embedder.com, https://kicanvas.org/home, https://thea.codes, https://partsbox.com/ (+45 more)
- domains: docs.embedder.com, app.embedder.com, embedder.com, kicanvas.org, partsbox.com (+31 more)
- emails: help@embedder.com, founders@embedder.com, dabh@alumni.stanford.edu, ffddaca20e5fd45b5c4c4263140fd909@sentry-service-prod.embedder.dev
- payloadFileHash: e9bbf6655b6b1adee3192fcb5e9d3ef80350f0c5957c850dd320aa373ed615a8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sun-shine-studio.shiny-extension-for-vscode | all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | Embedder.embedder-infineon | 0.3.115 (affected) | — |
| unknown | sol-studio.solidity-extension | all (affected), all (affected), * (affected), * (affected), * (affected), all (affected) | — |
| unknown | ko-zu-gun-studio.synchronization-settings-vscode | all (affected) | — |
| unknown | ssgwysc.volar-vscode | all (affected) | — |
References
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.