VDB
GCVE-110-OSM-2026-640
GCVE-110-OSM-2026-640
Advisory PublishedCVSS 5.4/10
Malicious vscode tasks.json file that executes when the user opens the repository in vscode as trusted workspace.
The payload C2 host has been taken down. But the indicators are associated known contagious interview campaign that uses tasks.json to deliver malware.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | lightmock | all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | lm-sys | all (affected) | — |
| unknown | all (affected), * (affected), all (affected), all (affected), all (affected) | — | |
| unknown | batch-shipyard | all (affected), all (affected) | — |
| unknown | hy-api-utilities | all (affected), * (affected) | — |
References
Malicious pypi package: lightmock
advisory
Malicious package:
advisory
Malicious pypi package: lm-sys
advisory
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.