VDB
GCVE-110-OSM-2026-4971
GCVE-110-OSM-2026-4971
Advisory PublishedCVSS 9.6/10
Malicious vscode tasks.json file that delivers malware when the repository is opened in visual studio code as trusted workspace.
There are two payload delivery methods. First through tasks.json file, second through base64 encoded C2 https[://]vscode-checking-ip[.]vercel[.]app/api in the .env file, that is used during runtime. The first payload delivers obfuscated JS file in third stage that talks to the C2 http[://]138.201.128.169:1224[/]api[/]checkStatus sends a GET request with environment variables and system info. The code runs every 5000 to fetch further instructions.
Also POST request to 138[.]201[.]128[.]169 with base64 encode text that translates to "now time to get everything"
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.